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I. INTRODUCTION 


A. MOTIVATION 

In the last decade increasing complexity in computer communication systems have 
created a growing demand for formal techniques to specify, design, verify and test 
protocols. In order to have a clear understanding of the protocols, both for the protocol 
designer and implementor, it 1s essential to have a formal protocol specification. 

There are a large number of formal techniques available for modeling protocols. Most 
of these methods can be placed into one of the following general classifications [Ref. 1]: 
communicating finite state machines, Petri nets, programming languages and hybnis. 
Some models that have found most interest and chosen for standardization are ESTELLE, 
LOTOS and SDL. Each of these has its own pros and cons. 

Systems of communicating machines (SCM) is also a formally defined model for 
specification, analysis and testing of protocols that is defined in [Ref. 2]. This model uses 
a combination of finite state machines and variables, which may be local to a single 
machine or shared by two or more machines, so it can be classified in the models known as 
“extended finite-state machines.” The main goal of the SCM model was to improve the 
well-known simpler Communicating Finite-State Machines (CFSM) model. The SCM 
model has been used to specify and analyze several protocols [Ref. 3], [Ref. 4], [Ref. 5], 
[Ref. 6], [Ref. 7]. Analysis of protocols specified with this model can be executed using a 
method called system state analysis. This analysis is similar to global reachability analysis, 
but generates a subset of all reachable states. Sometimes this subset is sufficient to verify 


the protocol. In some cases system state analysis is not sufficient for protocol analysis, and 


global analysis is needed. However, it is possible to automate the system state analysis and 
global analysis based on the SCM model. 

Several tools exist for the design and verification of protocols. These tools are very 
important for increasing the usefulness of the formal description techniques (FDT). 


While there is no “perfect” formal specification technique, there is still room for more 
work to understand the advantages of different formal models and develop better tools to 


increase the utilization of these models. 


B. SCOPE OF THE THESIS 

The goal of the thesis is to present a software tool, called mushroom that automates 
the reachability analysis of protocols formally specified using CFSM and SCM models. 
The name mushroom was chosen as a symbol of something that starts out relatively small 
(specification) and gets much bigger quickly (analysis). An earlier version of the program 
[Ref. 8] was capable of generating reachability analysis for the protocols consisting of only 
two machines. This thesis expands on this earlier work and is capable of analyzing 
protocols that has any number of machines from two to eight. In addition, the user interface 
for the program has also been improved. The program was tested against results of several 
previous works and has confirmed their results. It is also believed that this program will 


help to solve some problems concerning the SCM model. 


C. ORGANIZATION 

The thesis has six chapters. Chapter II reviews the Communicating Finite State 
Machines (CFSM) and Systems of Communicating Machines (SCM) models. In Chapter 
III, a program called simple mushroom, which automates the global reachability analysis 
based on CFSM model, is described. Chapter IV describes a program that automates the 


system state analysis (smart mushroom), or the full global analysis (big mushroom) for 


a protocol specified formally using the SCM model. In Chapter V, some examples of the 
use of the program are given. Chapter VI concludes the thesis with a research review and 


suggestions for future work. 


Il. BACKGROUND OF MODELS 


A. COMMUNICATING FINITE STATE MACHINES 

Communicating finite state machine (CFSM) model is a simple model and perhaps the 
earliest FDT. In this model, each machine in the network is modeled as a finite automaton 
or finite state machine (FSM), with communication channels between pairs of machines 
modeled as one-way, infinite length FIFO queues. There is a great deal of literature on this 
model [Ref. 9] [Ref. 10] [Ref. 11]. The model is defined for an arbitrary number of 
machines; however, for simplicity, a two machine model (shown in Figure 1) will be 


presented here. 


Machine 1 a Machine 2 


Figure 1: CFSM, 2 machine model representation 





1. Model Definition 

This section defines the CFSM model [Ref. 12] and provides a simple protocol 
specification and analysis to clarify the definition. 

A communicating machine M is a finite, directed labeled graph with two types of 
edges, sending and receiving. A sending (receiving) edge is labeled ‘-g’ (‘+g’) for some 
message g, taken from a finite set G of messages. One of the nodes in M is identified as the 
initial node, and each node is reachable from the initial node by some directed path. A node 
in M whose outgoing edges are all sending (receiving) edges 1s a sending (receiving) node; 


otherwise the node is a mixed node. If the outgoing edges of each node in M have distinct 


labels, then M is deterministic, otherwise M is nondeterministic. The nodes of M are often 
referred to as States; these two terms will be used interchangeably throughout this thesis. 

Let M and N be two communicating machines having the same set G of messages; 
the pair (M,N) is a network. A global state of this network is a four tuple {7m,c,,,7,c,,], where 
m and n are nodes (states) from M and N, and c,, and c, are strings from the set G of 
messages. Intuitively, the global state [m,c,,,n,c,,] means that the machines M and N have 
reached states m and n, and the communication channels contain the strings c,, and c, of 
messages, where c,, denotes the messages sent from M to N in channel Cy, and c, denotes 
the messages sent from N to M in channel Cy. In the case of say k number of machines 
where k > Z the global State can be represented as 
[77075125 13 5-+- 92121 1F 23s --+92 3143159325 ---0-++ ING Gk] ,40k2,---) where mjs are the nodes of 
machines M; and q;; contains the messages sent from M; to M,. Subscripts i and j ranges 
from /..kK andi #/. 

The initial global state of (M,N) 1s {mo,E,np,E), where mp and no are the initial 
states of M and N, and E is the empty string. 

The network progresses as transitions are taken in either M or N. Each transition 
consists of a state change in one of the machines, and either the addition of a message to 
the end of one channel (sending transition) or the deletion of a message from the front of 
one channel (receiving transition). 

A sending transition in M (N) adds a message to the end of channel Cy (Cy); a 
receiving transition in M (N) removes a message from the front of channel Cy (Cy). 


Suppose +g is a receiving transition from state i to / in machine M (N). The 


transition can be executed if and only if M (N) is in state i and the message g is at the front 


of the channel Cy (Cyy). The execution takes zero time. After its execution, machine M (N) 
is in state j, and the message g has been removed from the channel Cy (Cy). 

Similarly, suppose -g is a sending transition from state i to / in M (N). The 
transition can be executed if and only if M (N) is in state i. Afterwards, g appears on the end 
of the outgoing channel, and the machine has transitioned to state /. 

Suppose 57= [m,c;,n,c;] is a global state of (M,N). State s2 follows s; if there is a 
transition (in M or N) which can be executed in s; if there is a sequence of states 5;,5;47, - 
Sj¢p Such that s; follows s7,5;,7 follows s;, and so on, and S2 follows s;,,. A state S is 
reachable if it is reachable from the initial state. 

The communication of a network(M,N) is bounded if, for every reachable state 
[77,CN,C,] there is a nonnegative integer k such that Ic,,| <k and Ic,| < k, where Icl denotes 
the number of messages in channel C. 

A reachability graph of a network (M,N) is a directed graph in which the nodes 
correspond to the reachable global states of (M,N), and the edges represent the follows 
function. That is, there is an edge from state s; to state s; if and only if s; follows s;. The 
edges are labeled with the transitions which they represent. This reachability graph can be 
generated by starting with the initial state, and adding the states which follow it, connecting 
them to it with edges; and repeating for each new state generated. 

The next two definitions are of errors that may occur in a communication 
protocol, which are detectable by analysis. 


A global state [m,c,,,n,c,] is a deadlock state if both m and n are receiving nodes, 
and c,,=c,=E, where E denotes the empty string. 
A global state [7m,c,,,n,C,] is an unspecified reception state if one of the following 


two conditions 1S true: 


(1) m is a receiving state, the message at the head of channel c, is g, and none of 
m’s outgoing transitions is labeled ‘+g.’ 

(2) nis a receiving state, the message at the head of channel c,, is g, and none of 
n’s outgoing transitions is labeled ‘+g.’ 

These error conditions can be identified by generating the reachability graph for 
a network, and inspecting all states as they are generated. 

In the next section, an example protocol is specified and analyzed using the 


CFSM model. 


2. An Example of Protocol Specification and Analysis Using CFSM 
CFSM specification of an imaginary ring-like network consisting of three 


communicating machines is shown in Figure 2. 


Machine 1 Machine 2 
LOK Jnr) ee +D3,1 
Seuecceene lez 3 3 sescevsevsesoeef ned 
+D2 ,3 -DO ,2 -D1 ,3 +DO,1 
Machine 3 
+D22 +0\. 2 
-D2,1 
-D4,1- 
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s 
teccercces {fore 
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[e ) 


Figure 2: CFSM specification for the example protocol 


It is assumed that the protocol is used at the data link layer, making use of the 


services provided by the physical layer. 


Edges are labeled such that the characters following the ‘-/+’ shows the messages 
and the numbers represent the destination machine. Each machine sends one message to the 
next machine and receives a message from the previous machine in clockwise direction 
forming a ring. Ignore the dashed edges and nodes for the time being. The initial state of 
each machine 1s 1; thus the initial global state is [1,E,E,1,E,E,1,E,E). 

The reachability analysis can be done by a simple procedure. Starting with the 
initial global state only one transition is possible, the ‘-DO’ of the machine 1 from state 1. 
This leads to global state [2,D0,E,1,E,E,1,E,E]. We can continue the analysis in the same 
manner detecting the possible transitions from this new global state. The complete 


reachability analysis is given in Figure 3 consisting of a total of six states. 


(1,E,E,1,E.E,1,E.E] 
| -D0,2 








[2,D0,E, 1,E,E,1,E,E] 
| +D0,1 


[2,E,E,2,E,E, ] Joq8) 
-D1,3 


[2,E,E,1,E,D1,1,E,E] 
| +D1,2 


PASS Js, | 20a aN sh 
-D2,1 


(2 EES ESE 1eD2-E] 
+D2,3 
Figure 3: Reachability analysis of the example protocol 


In this sample protocol, there are no deadlocks or unspecified receptions. If the 


dashed edges and states in Figure 2 are added to the specification, the reachability analysis 


shown in Figure 4 would be achieved. In this analysis there is one deadlock condition and 
one unspecified reception. In global state [3,E,E,3,E,E,1,E,E], all the channels are empty 
and all the nodes are receiving nodes satisfying the deadlock condition. In global state 
[2,E,E,1,E,E,3,D4,E], machine 1 and machine 2 are in receiving states but none of the 


Outgoing transitions are labeled ‘+D4’, satisfying an unspecified reception condition. 
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Figure 4: Reachability analysis including errors 


3. Summary 
The CFSM model is simple and easy to understand. However, as the protocols 
become more complex, this model becomes difficult to use due to a combinatorial 
explosion of states. The analysis might not terminate if the queue length is unbounded. The 


number of states in the reachability graph will be unmanageably large for such complex 


protocols even if the queue length is bounded. A computer analysis might eventually 
terminate, but still the CPU time would be days even months, obviously impractical. 
Another disadvantage is that as the protocols become more complex, the 
specification of the protocol can be so large, consisting of many states and transitions, that 
it makes it very hard to understand if it is the intended specification. Several examples are 


given in Chapter V that show the largeness of analysis for some protocols. 


B. SYSTEMS OF COMMUNICATING MACHINES 

In this section the SCM model is described. First the model definition is given, then 
the algonthm for generating the system state analysis is described. Finally the model is used 
for specification and analysis of an example protocol to illustrate the important aspects of 


the model. 


1. Model Definition 
A system of communicating machines is an ordered pair C = (M,V), where 
M={m),mp,....mp} 
is a finite set of machines, and 
V={V1.V2,--VK} 

is a finite set of shared variables, with two designated subsets R; and W; specified 
for each machine m;. The subset R; of V is called the set of read access variables for 
machine m,, and the subset W; the set of write access variables for mj. 

Each machine m;€ M is defined by a tuple (S;,5,L;,N;,7;), where 

(1) S; is a finite set of states; 

(2) se S;is a designated state called the initial state of m;; 


(3) L; is a finite set of local variables; 


(4) N; is a finite set of names, each of which is associated with a unique pair (p,q), 
where p is a predicate on the variables L; U R;, and a is an action on the variables of L; U 
R; U W,. Specifically, an action is a partial function 
a: Lj; X Rj 9 L; X W; 
from the values of the local variables and read access variables to the values of 
the local variables and write access variables. 


(5) ;: 8; X N; — S; is a transition function, which is a partial function from the 
states and names of m; to the states of 1;. 


Machines model the entities, which in a protocol system are processes and 
channels. The shared variables are the means of communication between the machines. 


Intuitively, R; and W; are the subsets of V to which m; has read and write access, 


respectively. A machine is allowed to make a transition from one state to another when the 
predicate associated with the name for that transition is true. Upon taking the transition, the 
action associated with that name is executed. The action changes the values of local and/or 
shared variables, thus allowing other predicates to become true. 

The sets of local and shared variables specify a name and range for each. In most 
cases, the range will be a finite or countable set of values. For proper operation, the initial 
values of some or all of the variables should be specified. 

A system State tuple is a tuple of all machine states. That is, if (M,V) is a system 


of nm communicating machines, and 5;, for 1S i <n, is the state of machine m,, then the n- 
tuple (57,59,...,5,) 18 the system state tuple of (M,V). A system State is a system state tuple, 


plus the outgoing transitions which are enabled. Thus two system states are equal if every 
machine is in the same state, and the same outgoing transitions are enabled. 
The global state of a system consists of the system state tuple, plus the values of 


all variables, both local and shared. It may be written as a larger tuple, containing the 


1] 


system state tuple with the values of the variables. The initial global state is the initial 
system state tuple, with the additional requirement that all variables have their initial 
values. The initial system State is the system state such that every machine is in its initial 
state, and the outgoing transitions are the same as in the initial global state. 

A global state corresponds to a system state if every machine 1s in the same state, 
and the same outgoing transitions are enabled. Clearly, more than one global state may 
correspond to the same system state. 


Let T (5;,2) = Sp be a transition which is defined on machine m,. Transition T is 


enabled if the enabling predicate p, associated with name n, is true. Transition T may be 


enabled whenever m; is in state s; and the predicate p is true (enabled). The execution of T 


is an atomic action, in which both the state change and the action a associated with n occur 
simultaneously. 
It is assumed that if a transition is enabled indefinitely, then it will eventually 


occur. This is an assumption of fairness, and is needed for the proofs of certain properties. 


2. Algorithm: System State Analysis 
The process of generating the set of all system states reachable from the initial 
State is called system state analysis. This analysis constructs a graph, whose nodes are the 
reachable system states, and whose arcs indicate the transitions leading from each system 
State to another. This graph may be generated by a mechanical procedure which consists of 
the following three steps [Ref. 1]: 


1. Set each machine to its initial state, and all variables to their initial values. The 
initial set of reachable system states consists of only the initial system state; the 
initial graph is a single node representing this state. 


2. From the current system state vector and variable values, determine which 


transitions are enabled. For each of these transitions, determine the system state 
which results from its execution. /f this state (with the same enabled transitions) 


12 


has already been generated, then draw an arc from the current state to it, labelling 
the arc with the transition name. Otherwise, add the new system state to the graph, 
draw an arc from the current state to it, and label the arc with the name of the 
transition. 


3. For each new state generated in step 2, repeat step 2. Continue until step 2 has 
been repeated for each system state thus generated, and no more new states are 
generated. 


3. An Example of Protocol Specification and Analysis Using SCM 

The specification of an imaginary ring-like network consisting of three machines 
similar to the CFSM example in the previous section is given in Figure 5. The specification 
consists of the finite state machines, the local and shared variables, and the predicate action 
table, shown in Table 1. The local variables are: in_buffl, in_buff2, in_buff3, out_buff1, 
out buff2, and out_buff3 and shown under the corresponding FSMs with their initial 
values. The shared variables are: CHAN], CHAN2, and CHAN3 and shown between the 
two machines. The initial state of each machine is QO, with the shared variables and local 
variables are empty except the local variable out_buffl, which has data in it. E in the 
predicate-action table shows the empty string. A character D will be used to represent the 
data in the out_buffl local vanable. Other notations in the predicate-action table are 
intuitive. 

Each machine sends one message to the next machine and receives a message 
from the previous machine in clockwise direction forming a ring. The global reachability 
analysis, shown in Figure 6, has 12 states. The system state analysis, shown in Figure 7, has 
only 6 states. The subscripts in Figure 7 are used so that distinct system states having the 


same tuple (but not the outgoing transitions) may easily distinguished. 
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Ml M2 


OG CHAN @ 
snd_datal rev_data3 el rev_datal and_data2 


in_buffl :E in_buff2 :E 
out_buffl : D out_buff2 :E 
M3 
CHAN3 o CHAN2 
rcv_data2 snd_data3 
in_buff3 :E 
out _buff3:E 


Figure 5: FSMs and variables for the example protocol 


TABLE 1: PREDICATE-ACTION TABLE FOR THE EXAMPLE PROTOCOL 
Enabling Predicate 
CHANI=EA 
snd_datal CHAN] <— out_buffl 
in_buffl — CHAN3 
rev_data3 CHAN3 #E out_buffl <— in_buff! 
CHAN3 <— E 
CHAN2=EA CHAN2 < out_buff2 
snd_data2 out_buff2 +E out_buff2 — E 
| in_buff2 — CHAN] 
rcv_datal CHANI #E out_buff2 <— in_buff2 
CHAN] <— E 
CHAN3 <— out_buff3 
snd_data3 CHAN3= EA 7 
in_buff3 — CHAN2 
rcv_data2 CHAN2 #E out_buff3 <— in_buff3 
CHAN2 — E 
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[m1 ,in_buffl ,out_buffl,m2,in_buff2,out_buff2,m3,in_buff3 ,out_buff3,CHAN1,CHAN2,CHAN3}] 
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[DE 0, D2E.0..D.E.WE,.D,E} 
rcv_data2 
Pl Dae 0..D AE, 1; D,D,E2E.E } 
| snd_data3 
fiers, 0,D,E,0,D,E.E,E.D i] 


Figure 6: Global reachability analysis for the example protocol 


Thus, for this protocol we have 6 system states, and 12 global states. For more 
complex protocols, the difference between these numbers can be much more. For example, 
a sliding window protocol with a window size of 8 the system state analysis was shown to 


generate 165 states, while the full global analysis generated 11880 states [Ref. 1]. 
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Figure 7: System state analysis for the example protocol 


4. Summary 

The SCM model has desirable properties which overcome some of the 
disadvantages of the CFSM model. One of the advantages of the SCM model is that it 
greatly reduces the number of state explosion through the use of system state analysis. In 
some cases, however, the system state analysis 1s not sufficient for protocol analysis, and 
some other method - such as global analysis - must be done. A problem with the system 
state analysis is the loops in the state machines which may cause an insufficient analysis. 
This problem is illustrated with an example in Chapter V. 

Another advantage of SCM model is that it allows communication between 
machines in nonsequential manner, unlike a FIFO queue representation in the CFSM 
model. The SCM model specification is also easier to understand than the CFSM model for 


more complex protocols. 
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Ill. SIMPLE MUSHROOM: A PROGRAM FOR AUTOMATING CFSM 
REACHABILITY ANALYSIS 


This Chapter and the next Chapter will describe a program called mushroom, which 
was written in the Ada programming language. Mushroom automates the reachability 
analysis of protocols specified by the CFSM and the SCM models. The Mushroom program 
was first developed as two separate programs. The first program called simple mushroom, 
automates the CFSM analysis. The second program automates either system state analysis 
(smart mushroom), or the full global analysis (big mushroom) for a protocol specified 
formally by the SCM model. The General structure of the Mushroom program is shown in 


Figure 8. 


CFSM SCM | 
Specification Specification 


Simple Big Smart 
Mushroom Mushroom: Mushroom 


Global Global System 
Reachability Reachability State 
Analysis Analysis Analysis 





Figure 8: General structure of Mushroom program 


yi 


The Simple Mushroom program, is described in this chapter in four sections: program 


Structure, inputs to the program, generating the reachability analysis, and outputs of the 


program. 


A. PROGRAM STRUCTURE 

The Simple Mushroom program consists of Ada subprograms (procedures and 
functions), which are separate compilation units and subunits of compilation units. Related 
subprograms are also gathered in the same files. The compilation units of the program are 
shown in Table 2. Procedure main is the parent unit. All of the subprograms are the 


subunits of procedure main. [Ref. 13] 


TABLE 2: SIMPLE MUSHROOM PROGRAM COMPILATION UNITS 









This 1s the parent unit. Contains 
the main data structures, global 


main (procedure) 









variables, and the driver. 


Builds the adjacency lists from 
FSMs. 


load_machine_array 
(procedure) 






read_in_file (procedure) Parses the input FSM text file. 


build_Gstate_graph Generates the reachability graph. treachability.a 
(procedure) 
IsEqual (function) Compares two global states for treachability.a 
equality. 
hash (function) Generates an index number treachability.a 
according to the hashing function. 
clear_pointers (procedure) | Deallocates the dynamic memory | treachability.a 
space for another analysis. 


find_tuple (function) Searches the reachability graph tsearch.a 
for the equivalent tuples using 
external (open) hashing. 





Clear_hash_array Clears the hash array and 
(procedure) deallocates the memory. 
Print Queue (procedure) Prints the FIFO queues. 


output_Gstate_transition 
(procedure) 


output_Gstate_node 
(procedure) 





Outputs the transition name. 









Outputs the machine states, 
unspecified receptions, and 
the states with deadlocks. 


Outputs the FSM description in 
a tabular format. 





output_machine_arrays 
(procedure) 





Outputs the unexecuted transitions. 


output_unexecuted_transi- 


tions (procedure) 








Creates an output file for storing 
the analysis results. 


create_output_file 
(procedure) 


Output_analysis (procedure)} Driver for the output subprograms. 


system_call (procedure) Interface procedure for Unix 
system calls via C. 





message_queues Implements the queue operations 
(package) for the FIFO communication 
channels. 


pointer_queues Implements the queue operations 
(generic package) for the pointer queue that stores the 
globals tuples temporarily. 
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File Name 


tsearch.a 


toutput.a 


toutput.a 


toutput.a 


toutput.a 


toutput.a 


tsystem.a 


tqueues.a 


tqueues_2.a 


The method of splitting the program into separate compilation units has permitted a 


hierarchical program development. 


B. INPUT 

The CFSM specification of a protocol consists of only FSMs of the communicating 
machines. In the program, FSMs are represented with a text file. The user enters the 
directed graphs as a text file using some reserved words, numbers, and characters 
representing the machines, states and the transitions. The list of reserved words and the 


syntax for the FSM text description are shown in Figure 9 in Backus-Naur Form (BNF). 


reserved_word ::= start 
| number_of_machines 
| machine 
| state 
| trans 
| initial_state 
| finish 
number_of_ machines <machine_number> 
machine 1 | <machine_number> 
State <state_number> 


=P 
trans { : t cmessage> <next_State> <next_machine> 


initial state <state_number> <state_number> [<state_number>] [<state_number>] 
[<state_number>] [<state_number>] [<state_number>] [<state_number>] 
<machine_number> ::= 2/3/4/5I6I718 
<state_number> ::= 012/3I.....15O 
<letter> <letter> <letter> 
<message> ::= { <digit> bak <digit> ty Leon ty 
<next_state> ::= <state_number> 
<next_machine> ::= 11 <machine_number> 


<letter> ::= albl...IZIAIBI.../Z 
<digit> ::= OII2ZI3Z141SI6I71819 


Figure 9: Syntax for the text description of FSM 
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As can be seen from Figure 9, the maximum number of machines allowed is eight, and 
the number of states for each machine can be from 0 to 50. Transition names must be at 
most three characters long and may be any combination of letters or digits. These 
constraints can be relaxed with slight modifications to the program, if necessary. 

The input file for the example protocol in Chapter ITI for the CFSM model is shown in 
Figure 10. For example, “trans -D3 3 2” represents a transition from state 1 to state 3 (first 
number) in machine 1 sending (“-” sign) the message “D3” to machine 2. “Initial_state 1 1 


1” means that the initial states of machine 1, machine 2, and machine 3 are state 1. 


Slart 
number_of_machines 3 
machine 1 
State 1 

trans -D3 3 2 
trans -DO 2 2 
State 2 

trans +D2 1 3 
machine 2 
State 1 

trans +D3 3 1 
trans +D0O 2 1 
State 2 

trans -D1 13 
machine 3 
state 1 

trans +D2 2 2 
State 2 

trans -D4 3 1 
trans -D2 1 1 
initial_state 1 1 1 
finish 


Figure 10: Text file description of the FSM 


First, this file is parsed by read_in_file procedure and tokens are generated. Then, 


Load_machine_array procedure constructs an adjacency list which represents the FSMs. 
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The data structure for the adjacency list is shown below: 


type cfsm_transition_type is (s,r,u); 

type visit_type is (yes,no); 

type state_type is range 0..50; 

type next_machine_type is range 1..8; 

type machine_array_record_type; 

type Slink_tupe is access machine_array_record_type; 
type machine_array_record_type is 


record 
transition : cfsm_transition_type := u; 
message : Message_queue.message_queue_type; 
next_Mstate : State_type := 0; 
other_machine : next_machine_type := 1; 
visited : Visit_type := no; 
Slink : Slink_type := null; 
end record; 


type machine_array_type is array(state_type range 0..50) of Slink_type; 
type syStem_array_type is array(next_machine_type range 1..8) of machine_array_type; 


The adjacency list for the example protocol is depicted in Figure 12. This adjacency 
list is used for constructing the global reachability graph. The adjacency list contains all the 
necessary information for generating the global reachability graph. 

The user also provides the name of the text input file and a file name for storing the 
analysis results. Input file name must end with “.fsm” extension to prevent confusion. The 


output file name must be no more than 20 characters long. 


C. REACHABILITY ANALYSIS 
After reading the input file the program starts generating the global reachability graph. 
The program uses the adjacency list and the initial state to construct the global reachability 
graph. Starting with the initial state, the new states are added and linked to the graph 
dynamically. The algorithm to construct the global reachability graph is given in Figure 13. 
During the graph construction, the program also detects the global states with 
deadlocks and unspecified receptions. The program also finds the maximum message 


queue size and channel overflows. Analysis results are stored in the output file in parallel 
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Figure 12: Adjacency list for the example ring protocol in Chapter II 
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with the graph construction. This prevents the traversal of the entire graph one more time 


at the end of the program and decreases the run time. 


loop (main loop) 
for index] in] .. total_number_of machines loop 
place_holder(index]) := machine_array(index])(M_State(index] )) 
while (place_holder(index) /= null) loop 
loop 
if (place_holder(index!).transition = s) then 
Enqueue the message into the corresponding message queue 
search the graph for this new global state tuple 
if not found then create a new node and link to the graph 
Enqueue this new node to the pointer queue 
else link the transition to found global state tuple 
else 
if(place_holder(index] ).transition) = r and at least one of the message queues for 
this machine ts not empty then 
find this message queue and Dequeue 
search the graph for this new global state tuple 
if not found then create a new node and link to the graph 
Enqueue this new node to the pointer queue 
else link the transition to found global state tuple 
end tf; 
place_holder(index]) := place_holder(index! ).Slink 
exil 
end loop 
end loop 
end loop 
if pointer_queue empty then 
exil 
else 
Dequeue pointer queue and update M_state for this new node 
end if 
end loop (main loop) 


Figure 13: Algonthm for generating global reachability graph for CFSM 


One of the most time consuming procedures is the search algorithm for detecting if a 
node was previously created. The previous version of the program [Ref. 8] used a depth 


first search / breadth first search in a recursive manner. In this program, the search is made 
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more efficient using a hashing algorithm. The hash function is obtained from the machine 
States of the global tuple which has provided an efficient mapping. Therefore, the 
complexity of the search algonthm is O(1) when the hash function generates a distinct 
index (no collision) and O(n) when the same index is generated, where n is the number of 
hash collisions for that state. In many sample runs of the program, the complexity was O(1) 
for about 30% of the global states, and 3 nodes had to be traversed on the average for 70% 
of the global states. The reachability analysis is limited by the storage capacity of the 
computer. The run time is also another factor that must be considered. The largest analysis 
carried out by the program thus far has generated about 160,000 states in 12 hours for a six 
machine protocol specification. Some alternative methods for improving the efficiency of 
the program and analysis size using other search techniques are discussed in Chapter VI. 
The structure of a global node is shown in Figure 14. The maximum number of 
outgoing transitions 1s limited to 7, which can be increased if needed. Also, a maximum 


channel capacity of 6 messages 1s introduced to ensure that the analysis eventually stops. 


D. OUTPUT 

The program stores the analysis results in a file named by the user during the 
reachability graph construction. This file contains the specification in a tabular format, 
reachability graph and the results of the analysis consisting of the number of states 
generated, number of states analyzed, number of deadlocks, number of unspecified 
receptions, maximum message queue size and number of channel overflows. Global states 
with deadlocks and unspecified receptions are also marked in the reachability graph. The 
output file also lists the unexecuted transitions. A menu is displayed at the end of the 
analysis. From this menu the user has the option of displaying or printing the results or 


continuing the program for another analysis. 
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If the analysis generates more than 2000 states, the program gives an interim summary 
of the analysis and asks the user if they would like to continue. If the user wishes to 
continue, analysis proceeds in steps of 1000 states until the analysis ends or the user 
terminates the analysis (as long as memory is available). For analyzing large protocols, the 
number of states between these “stops” can be made larger (for example, increments of 
5000 or 10000). The program output for the example protocol in Chapter II is given in 
Figure 15. 


System state number 


Machine _ state 1]2]3}4] 5}6] 78 
queue num 1,2 

GTUPLE 
queue_num 8,8 | 





Figure 14: Global state structure with outgoing transitions 
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REACHABILITY AMALYSIS of : ring. fem 
SPECIFICATION 


| Machine 1 State Transitions j 


| From | To | other machine | Transition | 
| 1 | 2 | 2 | s do 
| 1 | 3 | 2 l a d3 | 
| a } 2 | 3 r d2 l 


| From | To | other machine | Transition | 
| a | 2 | 1 | r do | 
{ al | 3 | 1 | r 03 | 
bl 2 J 2 | 3 | es dl | 


| From | To | other machine | Transition | 
| 1 } 2 | 2 | r dl | 
| 2 } 1 | 1 i a d2 | 
| 2 | | 7 | a dé | 


Ta(sien,£, 1,£,£, 1,2,2) 

-dO 2 [ 2,d0,£,1,2,£,1,2,£]) 2 

-d3 2 ([ 3,d3,£,1,E£,2,1,£,£) 3 
2 { 2,d0 ,E, 1,£,£,1,£,£] 

+d0 1 [ 2,£,E,2,28,2,1,2,E] 4 
3 ( 3,43,£,1,28,2,1,28,8] 

+43 1 [ 3,2,28,3,2,28,1,2,£) 5 


-dl 3 { 2,8,8,1,8,d1,1,2,2] 6 
(3,2Z,2E,3,E,2,1,E, 2) ******e***pganlock condition***seeesneene 
( 2,8,2,1,8,d1,1,2,2) 

+41 2 ([ 2,28,28,1,28,28,2,28,2] A 
Tolee2,£,&,2),£,£,2,2,8) 

-d2 1 ([ 2,8,28,1,8,8,1,da2,E) 8 

-d4 1 {[ 2,28,8,1,2,28,3,d4,2] 9 
8 { 2,28,2,1,8,£,1,d2,E) 

+d2 3 ([1,28,28,1,2,2,1,28,E) a 
9(2,2,2,1,2,8,3,d4, EB) ****teeeetyngnecified Reception****#tnane 


aw 


SUMMARY OF REACHABILITY ANALYSIS (ANALYSIS COMPLETED) 
Total number of states generated : 9 

Number of states analyzed : 9 

Number of deadlocks : 1 

Number of unspecified receptions : 1 

Maximum message queue size : 1 

Channel overflow :NONE 


UNEXECUTED TRANSITIONS 
RHRRENONES C288 


Figure 15: Program output for the example ring protocol 
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IV. SMART AND BIG MUSHROOM: A PROGRAM FOR AUTOMATING SCM 
REACHABILITY ANALYSIS 

In this Chapter, programs that automate either system state analysis (smart 

mushroom), or the full global analysis (big mushroom) for a protocol specified by SCM 

are described. The program is described in four sections: general program structure, inputs 


to the program, generating the reachability graph, and outputs of the program. 


A. PROGRAM STRUCTURE 

Program structure of Smart Mushroom and Big Mushroom are similar to the structure 
of Simple Mushroom. The SCM model specification is more complicated than the CFSM 
specification, but this complexity in the specification brings some advantages to the 
analysis as mentioned in Chapter II. A protocol specified by the SCM model consists of 
FSMs, variable definitions, and predicate-action table, rather than just the FSMs as in 
CFSM model. 

FSMs are entered into the program in the same manner as in Simple Mushroom 


program using a text file. The variable definitions and predicate-action table must also be 


entered into the program. The user enters these parts by completing Ada packages! and 
subprograms using the templates provided. 

The compilation units for the program are shown in Table 3. The user has access to the 
last four packages/subprograms. Once the user completes these subprograms using the 
templates and compiles them with the other compilation units, the analysis of the specified 

1. Ada packages are one of the four forms of program unit, of which programs can be composed. 
The other forms are subprograms, task units, and generic units. Packages allow the specification of 


groups of logically related entities. In their simplest form packages specify pools of common object 
and type declarations. [Ref. 13] 
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protocol can be performed. Construction of the specification in the form of Ada packages 
and subprograms is explained in the next section. 


TABLE 3: SMART AND BIG MUSHROOM PROGRAM COMPILATION UNITS 


Main (procedure) This is the parent unit. Contains the 


main data structures, global vari- 
ables, and the driver. 


load_machine_array Builds the adjacency lists from 
(procedure) FSMs. 


read_in_file | tead_in_file (procedure) Parses the | Parses the input FSM text file. | FSM text file. 





build — Generates the ot il reachability —— 
(procedure) graph. 

build_system_state_grap Generates the system reachability g_reachability.< 

(procedure) graph. 

hash (function) Generates an index number sg_reachability.< 
according to the hashing function. 

clear_pointers (procedure)| Deallocates the dynamic memory g_reachability.2 
space for another analysis. 

Searches the reachability graph 


for the equivalent global tuples 
sg_search.a 




















search_for_Gtuple 
(function) 





hashing. 


clear_hash_array 
(procedure) 





sg_search.a 


g_search.a 
g_output.a 


search_for_Stuple Searchs the reachability graph 
(function) for the equivalent system tuples 


using hashing. 





clears the hash array and deallocates 
the memory for system state 
analysis. 


clear_hs_hash_array 
(procedure) 








Outputs the machine states, and 
states with deadlock for global 
reachability analysis. 


Output_Gstate_node 


(procedure) 
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output_sys_node 
(procedure) 





Outputs machine states, and Sg_output.a 
States with deadlock for system 
State analysis. 
Outputs the transition name for Sg_output.a 
global reachability analysis. 
output_Sys_transition Outputs the transition name for Sg_output.a 
(procedure) system state analysis. 
output_unexecuted_transi-| Outputs the unexecuted transitions. | sg_output.a 
tions (procedure) 
Outputs the FSM description in sg_Output.a 
a tabular format. 
output_analysis Driver for the output subprograms. | sg_output.a 


(procedure) | 


system_call (procedure) Interface program for Unix ssystem.a 
system calls via C. 
squeues.a | 
for the pointer queue that stores 
the nodes temporarily. 
Implements the stack operations sstacks.a 
for storing enabled transitions. 


definitions (package) Includes user defined local and named by the 
shared variables. user 







output_Gstate_transition 
(procedure) 










output_machine_arrays 
(procedure) 
















Implements the queue operations 





queues (generic package) 






stacks (generic package) 





Analyze_Predicates Determines the enabled transitions | named by the 
(procedure) there 1s one from the predicates. user 
for each machine 


Action (procedure) Executes the actions for the named by the 
enabled transitions. user 


output_gtuple (procedure) | Outputs the global state tuples in | named by the 
a format defined by the user. user 
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B. INPUT 

The inputs to the program consists of three parts, as mentioned earlier. FSMs are 
entered using a text file representation as in Simple Mushroom program. Variables and 
predicate-action table are entered as Ada packages/subprograms. The user needs to 
complete these packages and subprograms by filling in templates provided. 

The Ada package template for the variable declarations is called “definitions.” The 
predicate-action table is entered using an Ada subprogram template which consists of one 
procedure named “Action” and two to eight procedures _ called 
‘“‘Analyze_Predicates_Machine*” according to the number of machines in the protocol. 
The “*” at the end of the procedure name is replaced by the corresponding machine number 
for each machine in the protocol. 

After completing the templates described above, the user must compile these units 
with the other compilation units listed in Table 3. The program units can be compiled by 
entering a ““make” command. The “make” command executes a list of shell commands in 
the “Makefile” file which contains the commands for compiling the program units 
according to their dependencies. After issuing the “make” command, the executable file is 
stored in a file named “scm.” The “Makefile” is provided to the user with the mushroom 
program. 

Each of these program units will be explained in the following subsections. The 


example ring protocol described in Chapter II is also used to illustrate how to complete the 


templates. 


1. Finite State Machines 
There are a few differences in the FSM description of Smart and Big Mushroom 


programs from Simple Mushroom program. The same reserved words are used to write the 
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FSM text file. These are listed in Figure 9. The syntax changes that must be made to this 
form are shown in Figure 16. 

In the SCM model, explicit machine numbers to show which machine the 
message sent to or received from are not needed for the transition names. Since shared 
variables are used for communication between machines, this information is included in the 
predicate-action table. The FSM text file for the example ring protocol is shown in Figure 


17. 


trans <transition name> <next_state> 
<transition name> ::= <identifier> 
<identifier> ::= {[underline] | letter_or_digit} 
<letter_or_digit> ::= <letter >| <digit> 


Figure 16: Syntax changes for FSM description of SCM model 


Start 
number_of_machines 3 
machine 1 

State 0 

trans snd_datal 1 
State 1 

trans rcv_data3 0 
machine 2 

State 0 

trans rcv_datal 1 
State 1] 

trans snd_data2 0 
machine 3 

State 0 

trans rcv_data2 1 
State | 

trans snd_data3 0 
initial_state 0 0 0 
finish 


Figure 17: Text file description of the example ring protocol 
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The FSM text file is read by the input procedures and the adjacency list, which is 
used during the construction of system and global reachability graphs is generated. The data 


structure for the adjacency list is shown in Figure 18. 


visit_type is (yes, no); 

type machine_array_record_type; 

type Slink_type is access machine_array_record_type; 
type machine_array_record_type is 


record 
transition : scm_transition_type := unused; 
next_Mstate __: natural := 0; 
visited > VISIt_type := no; 
Slink : Slink_type := null: 
end record; 


type machine_array_type is array(integer range 0 .. 50) of Slink_type; 
type system_array_type is array (1 .. num_of_machine) of machine_array_type; 


Figure 18: Data structure for the adjacency list. 


2. Variable Definitions 

The user defines the protocol variables in an Ada package named definitions. This 
package includes the local variables for each machine and the global variables, which are 
considered shared and allow communication between machines. A variable can be one of 
the Ada defined types such as: integer, array, string, record, character, boolean, etc. These 
types and their subtypes are used to define the protocol variables. 

The template for the definitions package is given in Figure 19. The shaded areas 
show where the variables of the protocol are inserted by the user. Additional type 
declarations should be placed before the machine type declarations. 

The variable declarations for the example ring protocol is also shown in Figure 
20. The local variables of the protocol are: in_buffl, in_buff2, in_buff3, out_buff1, 
out_buff2, and out_buff3. The shared variables are: CHAN1I, CHAN2 and CHANS. The 


type definition, Dummy_type is placed in each of the local variable declarations of 
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machines in case the protocol has less than eight machines. When declaring the local 
variables for each machine, this dummy variable can be deleted from the corresponding 


machine. The initial values of the variables are also assigned with the variable declarations. 


with TEXT_IO; 
use TEXT_IO; Number of machines in the specification 
package definitions Is (can be 2 to 8) 

num_of_machines : constant := — 

type scm_transition_type is ( 

type dummy_type is range 1..255; 





type machinc1_state_type is Transition names of FSMs 
record 
dummy : dummy_type; 








end record; 


type machine&_state_type is 
record 
dummy : dummy_type; 


Local variables for machines I to 8 


end record; 
type global_variable_type is 
record 


i. — — — - — —_ Ciobal (snarea) variadies 


end record; 
end definitions: 


Figure 19: Template for definitions package 


3. Predicate-Action Table 
The predicate-action table is represented by a number of subprograms as separate 
compilation units. These subprograms are named Analyze Predicates and are used to 
determine the enabled transitions for each machine. The procedure named Action executes 


the actions to be taken for the corresponding enabled predicates. There is one 
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Analyze_Predicates procedure for each machine and one Action procedure for the protocol. 


The template for the Analyze Predicates procedure is shown in Figure 21. 


with TEXT_IO; 
use TEXT_IO; 
package definitions is 
num_of_machines : constant := 3; 
type scm_transition_type 1s (snd_datal,rcv_data3,snd_data2, 
rcv _datal,snd_data3,rcv_data2,unused); 
type buffer type is (D,E ); 
package buff_enum_io is new enumeration_io (buffer_type); 
use buff_enum_io; 
type dummy_type is range 1..255; 


type machinel_state_type is 
record 
out_buffl : buffer_type := D; 
in_buffl : buffer_type:= E; 
end record; 
type machine2_state_type is 
record 
out_buff2, 
in_buff2 : buffer_type:= E; 
end record; 
type machine3_state_type is 
record 
out_buff3, 
in_buff3 : buffer_type := E; 
end record; 
“type machine4_state_type is 
record 
dummy : dummy_type; 
end record; 


type machine8_state_type is 
record 
dummy : dummy_type; 
end record; 
type global_vanable_type is 
record 
CHANI, 
CHAN2, 
CHANS : buffer_type := E; 
end record; 


end definitions; 


Figure 20: Completed Definitions package for the example ring protocol 
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separate(main) 
procedure Analyze_Predicates_machine1 (local : machine1_state_type; 
global : global_variable_type; 
S : natural; 
Ww : In Out transition_stack_package.stack) is 





begin 
Case S 1S Enabling condition 
when 0 => 
if ( ae 
push(w, } 
end if; 
when | => 


Enabled transition 


when others => 
null; 
end case; 
end Analyze_Predicates_machine]1; 


Figure 21: Template for Analyze Predicates procedures 


The user completes the template for each state of the machines. For each machine 
state there is one “when’”’ statement. “If” statements specify the predicates for possible 
transitions from the current state. The “Push” statement stores these transitions in the stack. 
Since more than one transition can be enabled in some states, a stack is used to store all 
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possible transitions. The “s”’ parameter, in the formal parameter list of the procedure, passes 
the machine state; and the “w”’ parameter passes the stack name to the procedure. The file 
for the example ring protocol is given in Figure 22. 

The template for the Action procedure is shown in Figure 23. The enabled 
transitions are passed into this procedure through the “in_transition” formal parameter and 
the necessary changes are made to the local and shared variables by the Action procedure. 
The “out_system_state” parameter passes the changed protocol variables to the calling 


procedure. The completed Action procedure is shown in Figure 24. Text in boldface shows 


the user defined parts. 
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separate (main) 
procedure Analyze_Predicates_Machinel (local : machine] _state_type; GLOBAL: global_variable_type; 
s : natural; w : in out transition_stack_package. stack) is 
begin 
case sis 
when 0 => 
if( (GLOBAL.CHANI = E) and (LOCA L.out_buffl /= E) ) then 
Push(w,snd_ datal),; 
end if; 
when 1 => 
if (GLOBAL.CHAN3 /= E) then 
Push(w,rcv_data3); 
end if; 
when others => 
null; 
end case; 
end Analyze_Predicates_Machinel; 
separate (main) 
procedure Analyze_Predicates_Machine2(local : machine2_state_type; GLOBAL: global_variable_type; 
s: natural; w : in out transition_stack_package.stack) is 
begin 
case $ 1S 
when 0 => 
if (GLOBAL.CHAN]1 /= E) then 
Push(w,rcv_datal); 
end if; 
when 1 => 
if ((GLOBAL.CHAN2 = E) and (local.out_buff2 /= E) ) then 
Push(w,snd_data2),; 
end if; 
when others => 
null; 
end case; 
end Analyze_Predicates_Machine2; 
separate (main) 
procedure Analyze_Predicates_Machine3 (local : machine3_state_type; GLOBAL: global_variable_type; 
s : natural; w : in out transition_stack_package.stack) is 
begin 


Case s is 
when 0 => _— 
if (GLOBAL.CHAN2 /= E ) then 
push(w,rcv_data2); 
end if; 
when I => 
if ((GLOBAL.CHAN3 = E) and (local.out_buff3 /= E ) ) then 
push(w,snd_data3); 
end if; 
when others => 
null; 
end case; 
end Analyze_Predicates_Machine3; 
separate (main) 
procedure Analyze_Predicates_Machine4(local :machine4_state_type; GLOBAL: giobal_variable_type; 
s : natural; w : in out transition_stack_package.stack) is 
begin 
null; 
end Analyze_Predicates_Machine4; 
separate (main) 
procedure Analyze_Predicates_Machine8(local : machine8_state_type;. GLOBAL: global_vanable_type; 
s : natural; w : in out transition_stack_package.stack ) 1s 
begin 
null; 
end Analyze_Predicates_Machine8; 


Figure 22: Completed Analyze Predicates procedures for the example ring protocol 
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separate(main) 

procedure Action ( in_system_state ;: in out Gstate_record_type; 
in_transition : in out scm_transition_type; 
out_system_state : in out Gstate_record_type ) is 

begin 


case in_transition j Enabled transition 
when => 


eE=—. Action taken 


e 
e 


when others => 
put(“Error in the action procedure”’); 
end case; 
end Action; 


Figure 23: Template for Action procedure 


separate (main) 
procedure Action(in_system_state : in out Gstate_record_type; in_transition  : in out scm_transition_type; 
out_system_state : in out Gstate_record_type) is 
begin 
case (in_transition) is 
when (snd_datal) => out_system_stateGLOBAL_VARIABLES.CHANI:= 
in_system_state.machinel state.out_buff1; 
out_system_state.machinel state.out_buffl := E; 


when (rcv_data3) => out_system_state.machinel_ state.in_buffl := 
in_system_state;GLOBAL_ VARIABLES.CHAN3; 
out_system_state.machinel_state.out_buff1 := out_system_state.machinel_state.in_buffl; 
out_system_stateGLOBAL_VARIABLES.CHANS :=E; 


when (snd_data2) => out_system_stateGLOBAL_VARIABLES.CHAN?2:= 
in_system_state.machine2_state.out_buff2; 
out_system_state.machine2_state.out_buff2 := E; 


when (rcv_datal) => out_system_state.machine2_state.in_buff2 := 
in_system_stateGLOBAL_VARIABLES.CHANI]; 
out_system_state.machine2 _ state. out_buff2 := out_system_state.machine2_state.in_buff2; 
out_system_state -GLOBAL_ VARIABLES.CHANI1 :=E; 


when (snd_data3) => out_system_stateGLOBAL_VARIABLES.CHAN3:= 
in_system_state.machine3_state.out_buff3; 
out_system_state.machine3 state.out_buff3 := E; 


when (rcv_data2) => out_system_state.machine3 state.in_buff3 := 
in_system_state GLOBAL _ VARIABLES.CHAN2; 
out_system_state.machine3_state.out_buff3 := out_system_state.machine3_state.in_buff3; 
out_system_stateGLOBAL_VARIABLES.CHAN2 :=E; 


when others => put_line("There is an error in the Action procedure”); 
end case; 
end Action; 


Figure 24: Completed Action procedure for the example protocol 
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C. REACHABILITY ANALYSIS 

The process of generating the set of all states reachable from the initial state is called 
reachability analysis. The program is capable of generating both the global and system 
reachability analyses separately for a protocol specified formally by the SCM model. 

The user selects either global reachability analysis or system state analysis from a 
menu. During the graph construction, the program also detects the states with deadlock 
condition. Analysis results are stored in the output file named “rgraph.dat” in parallel with 
the graph construction. 

Generating the global reachability analysis and system state analysis will be described 


in the following subsections. 


1. Global Reachability Analysis 

The structure of the global node representation used for the program is shown in 
Figure 25. This node structure also includes the outgoing transitions. The maximum 
number of outgoing transitions is limited to 7, which can be increased if necessary. The 
shared variables are stored in the global variables variable and local variables are stored 
separately for each machine in the machine_state* variables. 

The initial global state is constructed from both the FSM text file and the initial 
values of the variables assigned in the definitions package. All the outgoing transitions are 
set to null initially. Starting with the initial global state, new nodes are added and linked to 
the graph. The algorithm for generating the global reachability graph is the same as the 
algorithm given for the system state analysis in Chapter II except that the “system states” 
must be replaced by “global states.” Figure 26 shows a pseudo-code algorithm to construct 


the global reachability graph. 
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| System State number ——S=™FT 


machine_state ee | shine ame Halslas[ eae 
fee ee 
Vglobal_variables [ 


[machinel_state [| 
GTUPLE "machine? state [ 


machine state ee 





Figure 25: Global state structure with outgoing transitions 


The program uses hashing for searching the reachability graph which increases 
the run time efficiency of the program. The reachability analysis 1s limited by the storage 
capacity of the computer and by the run time as in Simple Mushroom program. For 
example, the program generated 31,460 global states for a sliding window protocol of two 
machines defined in [Ref. 1] for a window size of 10. The run time for this example was 
about 10 minutes. The number of states and the run time increases greatly as the number of 


machines in the protocol increases and the protocol specifications become larger. 
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loop {main loop) 
for index! in] .. total_number_of machines loop 
posttion_holder(index! ) := machine_array(index]) (M_state(index! )) 
Determine the enabled transitions for the machine(index]) and push into transition_stack 
While not Empty(transition_stack) loop 
while (position_holder(index! ) /= null) loop 
Traverse the machine arrays for each enabled transition in the stack 
if a transition found in the machine arrays create a temporary node resulting from this transition 
call Action procedure to make the necessary changes to the variables of this node 
Search the graph for this node 
if a node not found then 
insert and link the node to the graph 
Enqueue the node into the Gpointer queue 
else 
link the node to the graph 
end if 
else 
position_holder({index!) := position_holder(index1).Slink 
end if 
end loop 
if not Empty(transition_stack) and a transition not found in the machine arrays 
pop the stack 
end tf; 
end loop 
end loop 
if Gpointer_queue Empty then 
exil 
else 
Dequeue Gpointer_queue 
Update M_state for this new node 
end if 
end loop (main loop) 


Figure 26: Algorithm for generating global reachability graph for Big Mushroom 


2. System State Analysis 
The steps in constructing the system state graph are detailed in Chapter II. The 
Structure of a system state is shown in Figure 27. Since the variables are not part of the 
syStem State, System state nodes are much smaller than the global state nodes. However, in 
order to determine the enabled transitions, variables are still needed for each node in the 


graph. The program stores the variables in secondary storage, instead of keeping them as a 


4] 


part of the node, which decreases the amount of primary memory used and allows the 
analysis of larger and more complex protocols. 
The pseudo-code algorithm for constructing the system reachability graph is 


shown in Figure 28. 


system_state_number 


a 
machine state EPH ISIOTTS 
Tsubseript 


[Stransition[ 
Sik a 
(5 — ee 





Figure 27: System state structure for Smart Mushroom program 


D. OUTPUT 

The program stores the results of the analysis in a file named “rgraph.dat.” This file 
contains FSMs in a tabular format, system/global reachability graph, and the results of the 
analysis consisting of number of states generated, number of states analyzed, and number 
of deadlocks. Unexecuted transitions are also listed at the end of the analysis. 

Since each protocol specification has different variables, the user also has the 
flexibility to output the desired variables. This is done in a similar manner to the predicate- 
action table and variable definitions representation explained earlier using an Ada 


procedure template. The template for the Output_Gtuple procedure is shown in Figure 29. 
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The user completes the template with Ada “put” statements for outputting the global states. 
Since the system state tuples do not include the variables, there is no need to define an 


output format for system reachability graph. 


loop (main loop) 
for index] in ].. num_of_trans loop 
if parent Sstate.link(index] ).Stransition /= unused then 
for index2 in] .. total_num_of_machines loop 
posiotion_holder := machine_array(index2) (M_state(index2)) 
while position_holder /= null loop 
if position_holder.transition = parent_Sstate.link(index]).Stransition then 
create a temporary system State and Store the corresponding variables 
determine the enabled outgoing transitions 
search the system state graph for this node 
if node not found then 
insert the node and link to the graph 
Enqueue the node into sys_pointer_queue 
else 
link the node to the graph 
end if 
exit 
else 
position_holder := position_holder.Slink 
end if 
end loop 
if an enabled transition found in the machine arrays then 
exit 
end if 
end loop 
else 
exit 
end if 
end loop 
if SyS_pointer queue empty then 
exit 
else 
Dequeue the sys_pointer_queue 
update M_state 
end if 
end loop (main loop) 


Figure 28: Algorithm for generating system state graph for Smart Mushroom program 


The completed template for the output Gtuple procedure is also given in Figure 30. 
As in Simple Mushroom program, if the analysis generates more than 2000 states, the 
program gives an interim summary and continues in steps as described in Chapter III. At 


the end of the program, the user can display/print the results or continue with another 
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system/global state analysis selecting the desired options from the menu. The output of the 


program for the example ring protocol is given in Figures 31 and 32. 


separate (main) 
procedure output_Gtuple (tuple : in out Gstate_record_type) is 
begin 

if print_header then 


new_line(2); 
set_col(5); header format for the variables 


print_header := false; 
else 
put(“(“‘ & integer’image (tuple.machine_state (1)) ); 
putt" , “); 
machine 1 local variables 


put(““(“ & integer’image (tuple.machine_state (2)) ); 
put", “); 


put(“(‘‘ & integer’image (tuple.machine_state (8)) ); 
put(" , “); 
Es — > global variables 
end if; 
end output_Gtuple; 


Figure 29: Template for output _Gtuple procedure 


— ep 








separate (main) 
procedure output_Gtuple(tuple : in out Gstate_record_type) is 
begin 

if print_header then 


new_line(2); 

set_col(5); 

put_line(“ m1(in_buffl,out_buff1), m2(in_buff2,out_buff2),m3(in_buff3,out_buff3), 
(CHANI,CHAN2,CHAN3)”); 

print_header := false; 


else 


put(“ [" & integer'image(tuple.machine_state(1)) ); 

put(“ ; a): 

buff_enum_io.put(tuple.machinel_ state.in_buff1); 

put(“, “); 
buff_enum_io.put(tuple.machinel_state.out_buff1); 

put(“ ,” & integer'image(tuple.machine_state(2)) ); 

put(“ , ): 

buff_enum_io.put(tuple.machine2 state.in_buff2); 

put(“ : 66). 

buff enum_io.put(tuple.machine2_state.out_buff2); 

put(“, “); 

put(integer'image(tuple.machine_state(3)) ); 

put(‘ . ay: 
buff_enum_io.put(tuple.machine3_state.in_buff3); 

put(™ , “); 

buff_enum_io.put(tuple.machine3 state.out_buff3); 

put(“, “; 

buff_enum_io.put(tupleGLOBAL_ VARIABLES.CHANI1); 
put(‘ ; i) 

buff_enum_io.put(tuple GLOBAL_VARIABLES.CHAN2); 
put(“ : 6) 

buff_enum_io.put(tuple GLOBAL_VARIABLES.CHAN3); 
put(“ }””); 


end if; 


end output_Gtuple; 


Figure 30: Completed output_Gtuple procedure for the example protocol 
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REACHABILITY ANALYSIS of :ring.scm 
SPECIFICATION 


= = = op oe Oo © © © om Oe ew © oo oO oO ow oo oo @ @ @ & 


| Machine 1 State Transitions | 


} From | To | Transition | 
| 0 | 1 | snd_datal | 
1 1. | 0 | xrev.data3 | 


| Machine 2 State Transitions | 


| From | To | Transition | 
| 0 | 1 | rxrev_datal | 
| 1 | 0 | snd_data2 | 


= = om om om om om om oe og om oO a aw ow om OP So ee ee we we ee es es es es 


| Machine 3 State Transitions | 


| From | To | Transition | 
] 0 | 1 | rev_data2 | 
1 1. | 0 | snd_data3_ | 


GLOBAL REACHABILITY GRAPH 


ml1(in_buffl,out_buffl),m2(in_buff2,out_buff2),m3{in_buff3,out_buff3),(CHAN1,CHAN2,CHAN3) 


0 [O0, BE, DBD, O04 BSE, O77, -£, &, BB, Ee, £.) snd _datal 1 
1 [(1l1,E,E£,90,E£,£H, 0,E,E£E,D,£, E] rev datal 2 
2 fl1l,2B, EB, &£ |). ,D. "OO SEY, 2 >. eee, 2 snd_data2 3 
3 [1,EB,E,90,D,£, 0,£,£,£,0D, EJ rev _data2 4 
4 [1l1,E,E,90,D,£, 1,0,0D,8£,£, EE] snd_—data3 5 
5 [1l1, £B,E,90,D,£, 0,D,£,£,£, Dj] rev data3 6 
6 [ 0 , Deepa cee oe es 0, DD, EGeee es, > Ea) snd_datal 7 
7 [1l, DD, BB; Us UD, EE, 8. Boek UL | Bee rev_datal 8 
8 (l,D,E,1,0D,D, 0,D,£,£,E£E, EJ] snd _data2 9 
9 {l1,D,£,90,D,£, 0,0D0,£,£,0D, EJ] rev _data2 10 
10 [(1,D,8F,90,D,E£E, 1,D,0D, E ,.E, & ) sndidatasei 
1l [1,D,£, 0;DYE. 0, D, EB wer 2 ; D ) rcv dacecemc 


SUMMARY OF REACHABILITY ANALYSIS (ANALYSIS COMPLETED) 
Number of states generated :12 

Number of states analyzed :12 

Number of deadlocks : 0 


UNEXECUTED TRANSITIONS 
kEKKKNONE*RREK 


Figure 31: Program output for global reachability analysis 
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REACHABILITY ANALYSIS of :ring.scm 


SPECIFICATION 


| Machine 1 State Transitions | 


ga ee ew eee 2 2 2 2 2 2 2 22 222 2 2 Ss 2882 SSS os = = 


| From | To | Transition | 
| 0 i 1 | snd_datal | 
| 1 { 0 | rev data3 i 


sea ee ee 2 SS SP eS P28 B@ese 8s Oe ee eee |e |e |S Se 


| From | To | Transition | 
| 0 l 1 | revdatal | 
| 2 | O {| snd_data2 | 


| Machine 3 State Transitions | 


| From | To | Transition | 
| 0 | 1 | rev_data2 | 
| 1 | 0 | snd_data3 i 


SYSTEM REACHABILITY GRAPH 


0 { 0, 0, 0 j O snd_datal 1 
1 f{ 1, 0, 0) 0 rcv_datal 2 
2 +t i,k, 0 } 0 snd data2 3 
ga 1, 0,0.) 2 rcv_data2 4 
a £ a7-0,° i 7) 0 snd _data3 5 
Sof 1; 050. ). 2 rcv_data3 0 


SUMMARY OF REACHABILITY ANALYSIS (ANALYSIS COMPLETED) 
Number of states generated :6 

Number of states analyzed :6 

Number of deadlocks : 0 


UNEXECUTED TRANSITIONS 
kk kk kNONE * AAR 


Figure 32: Program output for system state analysis” 





2. The number next to “]” sign shows the subscripts that is explained in Chapter II. 
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V. EXAMPLES FOR USING THE MUSHROOM PROGRAM 


In this Chapter, the programs Simple Mushroom, Big Mushroom, and Smart 
Mushroom are demonstrated with several examples. 

The Simple Mushroom program will be used to analyze a simple example four 
machine protocol which illustrates some important aspects of the program, such as 
detecting unspecified receptions, unexecuted transitions etc. Also, the information transfer 
phase of a full duplex LAP-B protocol specified by the CFSM model will be analyzed. This 
protocol illustrates a larger and more complex analysis. 

The Big Mushroom and Smart Mushroom programs will be used to analyze the GO 
BACK N protocol with a window size of 10, and the Token Bus protocol, which illustrates 


some important aspects of the system State analysis. 


A. CFSM MODEL 


1. A Simple Four Machine Protocol 

The specification of the protocol using the CFSM model is shown in Figure 33. 
Each of the machines sends/receives a message/acknowledgment from another machine. 
Machines 2 and 3 also have another send transition from state 1 to state 3. The FSM 
description of the protocol is shown in Figure 34, and analysis results obtained by the 
Simple Mushroom program are shown in Figure 35. The analysis generated 36 global states. 
There are three unspecified receptions and one unexecuted transition. No deadlocks or 
channel overflows are recorded. The maximum channel size is 2. These results are obtained 
by simply entering the FSM text file into the program. This analysis would be very 


cumbersome to do manually, even for a simple specification like this one. 
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MACHINE 1 


+A,m3 -D,m2 


MACHINE 3 


-A,m]1 ( 3 ) 


-D,m4 3 +D,m2 


MACHINE 2 


-D,m3 (3 ) 


+D,m4 +D,m1 
MACHINE 4 
-D,m2 +D,m3 


Figure 33: Specification for the example four machine protocol 


Start 


number_of_machines 4 


machine 1 
State 1 

trans -D 2 2 
State 2 

trans +A 13 
machine 2 
State 1 

trans -D 3 3 
trans +D 2 1 
state 2 

trans +D 1 4 
machine 3 
state 1 

trans -A 3 1 
trans +D 22 
State 2 

trans -D 1 4 
machine 4 
State 1 

trans +D 2 3 
State 2 

trans -D 1 2 
initial_ state 
finish 


1111 


Figure 34: FSM text file for the example protocol 
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REACHABILITY ANALYSIS of 


SPECIFICATION 


Machine 1 State Transitions 
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To 


From 
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UNEXECUTED TRANSITIONS 


| other machine | Unexecuted Transition | 


(ANALYSIS COMPLETED) 


Total number of states generated : 36 
Number of states analyzed 


number of deadlocks 


ae! 
Program output for the example protocol 


» 
* 


2 
To 


Machine 2 


: 36 


0 


SUMMARY OF REACHABILITY ANALYSIS 
number of unspecified receptions 
maximum message queue size 
: NONE 
| From 
Figure 35 


channel overflow 


2. Analysis of Information Transfer Phase of the LAP-B Protocol 

In this Section, analysis of a Data Link Control (DLC) protocol is described using 
the Simple Mushroom program. The LAP-B protocol is modeled and analyzed with CFSM 
model [Ref. 14]. A simplified analysis of the information transfer phase of the protocol, 
which includes only I-frames with a window size of 2, will be described below. 

This analysis is important in two ways. First, it verifies that the program is correct 
by obtaining the same analysis results as in [Ref. 14]. Secondly, it is a good example to 
show that the total number of global states can be very large, even for such a limited 
protocol. The description of the information transfer phase is explained below as it appears 
in [Ref. 14]. 

The network nodes, which are connected by the protocol, consist of a Data 
Terminal Equipment (DTE) and a Data Circuit Terminating Equipment (DCE). In this 
model, DTE and DCE are considered process 1 and process 2 respectively. Each of these 
processes are also modeled as three sub-processes: Sender, Receiver and Frame Assembler 
Disassembler (FAD), which are numbered as 1 or 2 according to their process numbers. 

Figure 36 shows the processes and how they are connected. The FAD process 
combines data blocks from the Sender with acknowledgments from the Receiver, into 
complete I-frames and sends the I-frames to the FAD of the other process. The FAD also 
breaks up the I-frames received from the other FAD and sends the acknowledgment to the 
Sender, and data blocks to the Receiver. 

I-frames are expressed by the notation “Inm’’, where n is the send sequence 
number N(S), and m is the receive sequence number N(R). The message “D1” is a data 
block sent from the Sender to the FAD, or from the FAD to the receiver; it is the data block 
which is to be placed in, or which is taken out of, the I-frame. The “1” 1n “Dr” is the send 
sequence number. The message “Ai” is an acknowledgment with a receive sequence 


number of 1. 
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The finite state machines for the Sender, Receiver and FAD of the DTE are shown 
in Figures 37, 38 and 39. The FSMs for the DCE are the same except that FAD1, 
RECEIVER1, and SENDER1 must be replaced with FAD2, RECEIVER2, and SENDER2 
respectively. Since no RR-frames are used, I-frames can only be acknowledged by 
receiving an N(R) from an incoming I-frame. 

As an example, suppose the DTE Sender! has 3 data blocks to send. It can go 
from state 1 to state 2, sending “DO,” and then to state 3, sending the second block as “D1.” 
At this point, 2 data blocks are outstanding, so it must wait for an acknowledgment of at 
least one of them before sending the third. 

The DTE FAD 1 process, initially in state 1, will receive the DO from Sender1 and 
enter state 2. It then sends an “enquiry” to the Receiver] to get the latest acknowledgment, 
an N(R), for the data blocks received from the DCE. 

Since no data blocks have been received by the DTE yet, Receiverl will respond 
with an “AO.” FAD1 will receive the AO, and will transition from state 8 to 11. The FAD1 
will then return to state 1 sending the I-frame “I00.” Similarly, the FAD1 will receive the 
second data block, D1, and transmit it as “110” after combining with “AO.” 

FAD2 will receive the “IQ0” frame first, entering state 20. It then splits this I- 
frame and sends the “DO” to Receiver2, and “AQ” to Sender2. 

Sender2 is in state 1, and simply discards this “AQ.” Receiver2 is in state 1, 
accepts the “DO” data block and transitions to state 2. 

Similarly, The DCE FAD2 process receives the “I10’’ message, and sends the 
“D1” to Receiver 2, and “AO” to Sender 2. Sender 2 will discard the “AO”, remaining in 
state 1, and Receiver 2 will receive “D1,” transitioning to state 3. 

Suppose at this point a user data block becomes available to send at the DCE. It 
will send an “I02” frame across the data link to the DTE; and upon receiving the I02, the 


DTE will now be able to send the third user data block. 
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For the automated analysis of the protocol, the FSMs in Figures 37, 38, and 39 are 
converted to a text file and entered into the program as shown in Appendix A. The 
transition names in this text file are the same as in the FSM diagrams, such as “+I00”, 
“+D0” etc. In order to save memory and generate a larger number of states in the analysis, 


the transition names can be abbreviated to single characters at the time of the analysis as 


shown below: 


DO -> X I00 -> 1 
D1->Y I01 ->2 
D2 ->Z I02 ->3 
AO->A 110 ->4 
Al->B Il11->5 
A2->C 112 ->6 
ENQ ->Q 120 ->7 

I21->8 

[22 ->9 


The amount of memory available and the CPU time are always a concern for a full 
reachability analysis. The program output for the analysis is partially given in Appendix A. 
Because of the size of the analysis, only a very small portion of the reachable states are 
included in.the output. The total number of global states generated for the information 
phase was 73391. There were no unspecified receptions, unexecuted transitions, and 
channel overflows. The maximum channel length was 6. A deadlock condition was found 
at state 17034 where all the channels were empty and Senderl, Receiver1, FAD1, FAD2, 
Sender2, Receiver2 were in states 3, 3, 1, 1, 3, 3 respectively. This state deadlock 1s 
expected since RR-frames are not included in the analysis. A more detailed explanation 
including the RR-frames in the protocol is given in [Ref. 14]. The reader may note that the 
results of the analysis exactly match with the results reported in Reference 14. The 
deadlock state found in Reference 14 was 67699, which was recorded at state 17034 in this 
analysis. However, the global states are the same for both analyses. The Simple Mushroom 


program uses a Breadth-First Search algorithm for choosing the states from the work set 


Sy, 


(i.e, global states that are generated, but have not been analyzed yet). The protocol verifier 
PROVE, used in Reference 14 might be using a Depth First Search approach, which would 
result in a different global state number. 

The protocol, including the RR-frames, was also entered into the program, but the 
program could not complete the analysis due to insufficient computer memory. In this 
analysis, 153565 global states were generated. No unspecified receptions, deadlocks or 
channel overflows were recorded for the analyzed portion of the protocol. The maximum 
channel size reached was 4. The program completed the analysis in 11 hours 51 minutes on 


a Sun SPARC station. 


B. SCM MODEL 


1. Go Back N 

The first protocol selected for analysis using the Big Mushroom and Smart 
Mushroom programs 1s a 1-way data transfer protocol with a variable window size, which 
is essentially a subset of the High-level Data Link Control (HDLC) class of protocols. This 
protocol is modeled and analyzed with the SCM model in [Ref. 1]. The same specification 
will be used here and an automated analysis will be described using the programs 
developed for a window size of 10. The specification is summarized below: 

There are two machines in the system, a sender (7m,) and a receiver (m7). The 
sender sends data blocks to the receiver, which are numbered sequentially, 0, 1,..., w, 0, 1, 
... for a window size of w. As in HDLC, the maximum number of data blocks which can be 
sent without receiving an acknowledgment is w, the window size. The receiver, mp, 
receives the data blocks and acknowledges them by sending the sequence number of the 
next data block expected (which is stored in local variable exp). The shared variables 


DATA and SEQ are used to pass messages from sender to receiver, and the shared variable 
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ACK is used to pass acknowledgments back to the sender. The receiver may acknowledge 
any number of blocks received up to the window size. Upon receiving the 
acknowledgment, the sender must be able to deduce how many data blocks are being 
acknowledged. This is done by observing the difference between the values of the received 
acknowledgment and the sequence number of the last data block sent. 

The general specification of the protocol is given in Figure 40 and in Table 4. 
Initially, both sender and receiver are in state 0, arrays DATA and SEQ are empty, and 
ACK is empty. The domains of DATA, Rdata and Sdata are not specified; these are used 
to hold user data blocks. Sdata and Rdata are the interface or access points of the higher 
layer (user) protocol. The local variables for the sender are Sdata, used to store data blocks, 
se€q, used to store the sequence number of the next data block to be sent out, and /, used as 
an index into the DATA and SEQ arrays. Initially seq is set to O, and i 1s set to 1. The local 
variables of the receiver are Rdata, exp, and j. Rdata is used to receive and store incoming 
data blocks, exp to hold the expected sequence number of the next incoming data block, and 
jis an index into the shared arrays DATA and SEQ. 

The states of both sender and receiver are numbered 0, 1, ..., w, and each state has 
an easily recognized intuitive meaning. If the sender is in state O, then all data blocks sent 
to date have been received by the receiver, so a full window size of w data blocks may be 
sent without waiting for an acknowledgment. If my, is in state w, then a full window of 
blocks have been sent, so the sender can only wait for the acknowledgment from the 
receiver. 


If the receiver, mp, is in state 0, then all received data blocks have been 


acknowledged. If in state w, then a full window of data blocks have been received, but not 
acknowledged. Whenever the receiver sends an acknowledgment, all data blocks received 


up to that point are acknowledged. 
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-D ! +Ag J +Aw. 


I 2 w 
seq: (0,1,2,..., Ww) 
rer 2) 





exp: (0,1,2,...,w) 
j: (1, 2,209) 


Figure 40: State machines and variables for Go Back N 


TABLE 4: PREDICATE-ACTION TABLE FOR GO BACK N 


DATA(i) = € A SEQ(W) =e 


ACK @® k = seg 0 ACK #€ 
(next state : k) 


DATAQ() #€ A SEQ() = exp 


DATA(/) =€ 
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DATA(i) — Sdata(i) 
SEQ(i) & seq 
inc(i, Seq) 


Rdata — DATA() 
DATA(Y), SEQY) <— € 
inc (J, exp) 


ACK € exp 
Rdata — € 


The enabling predicate and action for each transition are shown in Table 4. The 
label or transition name is the leftmost column, the enabling predicate in the middle, and 
the corresponding action on the right. There are four basic types of transitions. In the 
sender, m,, the -D transition transmits a data block by placing it into the shared variable 
DATA(i), and the sequence number into SEQ(!). The send is enabled whenever those 
variables are empty. (The interaction between the sender and the user, or higher layer, is 
implicit, and not specified here). The inc operation increments its arguments, if less than 
their maximum value, in which case it resets them to the minimum value. The operator ® 


represents the inc operation repeated & times, if the argument is k and the symbol € denotes 


_ the empty value. The receive transition in the receiver, 7, is enabled whenever a data block 
of the appropriate sequence number is in the jth element of DATA and SEQ. An 
acknowledgment may be sent by mm in any State except 0, in which case no unacknowledged 
data blocks have been received. 

The remaining transition is the +A, receive acknowledgment, in mm. If my is in 
State u, 1 <u < w, and there is a nonempty value in shared variable ACK, then exactly one 


of the transitions +Ag, +Aj, .... tAy.7 will be enabled; it will be that A, such that the 


predicate ACK®k = Seq is true, and the next state is k. [Ref. 1] 

For analyzing this protocol using the Big Mushroom and Smart Mushroom 
programs, the inputs to the program must be completed. These consist of a text file 
description of FSMs, the package, definitions, which include the variables of the protocol, 
and the subprograms Analyze Predicates Machines and Action, which define the 
predicate-action table. Also an Output _Gtuple procedure, which defines the output format 
for the global tuples, must be entered. Completed packages/procedures for a window size 
of 10 are given in Appendix B. 

The same names are used for local and shared variables in the package definitions 


as in the predicate-action table. Variables DATA, ACK and Sdata are declared as one 
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dimensional arrays of size 10, which is the window size. Local variables seg and exp and 
index numbers i and / are declared as integers in the range 0 to 10. Global variable ACK is 
declared as integer in the range -1 to 10, where -1 represents € value in the predicate-action 
table. An enumeration type, buffer_type, is declared for storing the data passed by the upper 
layer to local variable Sdata. Data are declared as dO, dl, .., d9,e, where e represents the € 
value. Transition names in the specification are defined as snd_data, rcv_data, snd_ack, 


rcv_acki for -D, +D, -A, and +A; in predicate-action table respectively. 


Actions and predicates are also translated to Ada statements in the subprograms 
Analyze predicates Machines and Action. For each state in both machines there is a 
‘“‘when” statement. The predicates for the outgoing transitions from that state are translated 
to Ada with “if” conditional statements. Actions in the predicate-action table are converted 
to Ada statements with “when” statements (see Appendix B). 

The program generated 286 system states and 31,460 global states, which are 
identical with the results obtained by the formulas given in [Ref. 1]. The protocol is free 
from deadlocks and there are no unexecuted transitions. The difference between the 
number of system and global states shows the power of the system state analysis which 
reduced the number of states in the reachability graph exponentially. However, without the 
Smart Mushroom program, the system state analysis would be cumbersome to do manually, 


and the global reachability analysis would be infeasible. 


2. Token Bus 
Another example of the program application, the token bus specification in [Ref. 
15] will be used. The specification is a simplified one. It assumes that the transmission 
medium is error free and all transmitted messages are received undamaged. Both the system 
state analysis and global analysis are generated from this token bus specification for a 


protocol consisting of 8 machines. 


The specification of this simplified protocol is given in Figure 41 and Table 5. The 
FSM diagram and the local variables are the same for each machine, where the transition 
names: ready, rcv, pass, get-tk, pass-tk, Xmit, and moreD are appended with the 
corresponding machine number to the end for each machine in the specification. For 
example, transitions for machine 7 are named as ready7, rcv7, pass7, etc. This makes it 
easier to follow the reachability graphs. The remainder of the protocol specification as 
described in Reference 15 is as follows: The shared variable, MED/UM, 1s used to model 
the bus, which is “shared” by each machine. A transmission onto the bus is modeled by a 
write into the shared variable. The fields of this variable correspond to the parts of the 
transmitted message: the first field, MEDIUM.T, takes the values T or D, which indicate 
whether the frame is a token or a data frame. The second field contains the address of the 
station to which the message is transmitted (DA for “destination address”’); the next field, 
the originator (SA for “source address’’); and finally the data block itself. 

The network stations, or machines, are defined by a finite state machine, a set of 
local variables, and a predicate-action table. The initial state of each machine is state 0, and 
the shared variable 1s initially set to contain the token with the address of one of the stations 
in the “DA” field. 

The value of local variable next is the address of the next or downstream neighbor, 
and these are initialized so that the entire network forms a cycle, or logical ring. 

The local variable i 1s used to store the station’s own address. As implied by the 
names, the local variables inbuf and outbuf are used for storing data blocks to be transmitted 
to or retrieved from other machines on the network. The latter of these, outbuf, is an array 
and thus can store a potentially large number of data blocks. The local variable ctr serves 
to count the number of blocks sent; it is an upper bound on the number of blocks which can 
be sent during a single token holding period. The local variable / is an index into the array 


outbuf. 
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t DA SA data 
MEDIUM 


i; (my address) 
next : (address of next station) 
ctr :(1,2,..., k+l ) 


J AT, 25k 





moreD 


DA SA _ data t DA SA data 


Figure 41: FSM and variables for the network nodes 


The local vanables / and ctr are initially set to 1, and inbuf and outbuf are initially 
setto empty. The shared variable MED/UM initially contains the token, with the address of 
the station in the DA field. Thus the initial system state tuple is (0,0, ..., 0) and the first 
transition taken will be get-tk by the station which has its local variable i equal to 
MEDIUM _DA. 

Each machine has four states. In the initial state, 0, the stations are waiting to 
either receive a message from another station, or the token. If the token appears in the 


variable MEDIUM with the station’s own address, the transition to state 2 is taken. When 
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taking the get-tk transition, the machine clears the communication medium and sets the 
message counter cir to 1. In state 2, the station transmits any data blocks it has, moving to 
State 3, or passes the token, returning to State 0. In state 3, the station will return to state 2 
if any additional blocks are to be sent, until the maximum count k is reached. When the 
count is reached, or when all the station’s messages have been sent, the station returns to 
state Q. 

The receiving station, as with all stations not 1n possession of the token, will be in 
state 0. The message will appear in MED/UM, with the receiving station’s address in the 
DA field. The receiving transition to state 1 will then be taken, the data block copied, and 
MEDIUM cleared. By clearing the medium, the receiving station enables the sending 


station to return to its initial state (QO) or to its sending state (2). 


TABLE 5: PREDICATE-ACTION TABLE FOR THE NETWORK NODES 


Pe [saa MEDIUM {(t, DA) = (D, i)  inbuf -MEDIUMA(SA, data) (SA, data) 


MEDIUM. (t, DA) = (T, i) | MEDIUM <— 9; ctr <— 1 


Xmit outbuf [/] # @ MEDIUM <— outbuf {)); 
crectr@®l,j—j@el 
outbuf [/] — ¢ 


MEDIUM = 6 A MEDIUM < (T, next, i, 0) 
( outbuf {j)]=ov ctr=k+1) 
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The symbol “@®” indicates that the variable should be incremented unless its 
maximum value has been reached, in which case it should be reset to the initial value. The 
notation MEDIUM.(t, DA) is used to denote the first two fields of the variable MEDIUM. 
For example, MEDIUM.(t, DA) = (T, 1) is a boolean expression which is true if and only if 
the first field of MEDIUM contains the value 7, and the second field contains the value !. 
Other notations in the predicate-action table such as “Aa”, “v’’, “«—” etc. are intuitive. 

The inputs to the program for the reachability analysis of this protocol are given 
in Appendix C. The same names as in the specification are used for the local and global 
variables in the package definitions. Also, the “empty” value is represented by “E”’ and the 
data are represented by “I” in this package. The upper bound on the number of data blocks 
in the outbuf variable is set to 7. 

The system state analysis alone did not give a complete analysis due to some 
loops in the FSMs of the SCM specification. Since the system state analysis assumes that 
two system states are equivalent if both the machine state tuples and the outgoing 
transitions are the same, this can cause the system state analysis to give insufficient results 
in some special cases. For example, incomplete results can arise when the FSMs of the 
specification include some loops that result with the same states and enabled transitions 
repeatedly. In such specifications, some of the transitions will stay unexecuted, resulting an 
incomplete analysis. This situation is observed in this specification when one of the 
machines had two or more data blocks in its outbuf local variable. For instance, if machine 
1 has two data blocks in its outbuf local variabie waiting for transmission and it receives 
the token from MEDIUM, it transitions to state 2 with get-tk and then takes the Xmit 
transition to state 3, sending the first data block. Since it has one more data block to send, 
the next transition will be moreD, which will take it back to state 2. At this point the system 


State analysis will stop and the reachability analysis will be incomplete. 
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The problem can be solved by splitting the system state analysis into three parts. 
First, the protocol can be analyzed with no messages in the machines and the behavior of 
the machines including only the transitions of the token can be observed (transitions get-tk 
and pass). Then, the analysis can be performed with one message in the outbuf local 
variables of the machines, which allows us to analyze the transitions for receiving/ 
transmitting the messages in addition to the transitions including the token (get-tk, Xmit, 
rcv, ready, pass-tk). Finally, the protocol can be analyzed with each machine having more 
than one message, which includes the last transition in the analysis (moreD). Combining 
the results of these parts shows that the protocol is free from deadlocks and there are no 
unexecuted transitions. 

The definitions packages and the analysis results are given separately for each of 
the three cases outlined above in Appendix C. The system state analysis generated 16, 40 
and 5 system states respectively for the parts explained above. The global analysis has 
generated 263 global states and there were no deadlocks or unexecuted transitions. The 
global reachability analysis is also given in Appendix C. 

The system state analysis has reduced the number of states from 263 (global) to 
61 (for all three parts). This is another example showing the advantage of the system state 


analysis. 
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VI. CONCLUSIONS AND FURTHER RESEARCH POSSIBILITIES 


In this thesis, a software tool has been described which automates the analysis of 
protocols specified by the SCM and CFSM models. The program generates either the 
system state analysis or global reachability analysis for the SCM model. The program also 
generates the full reachability graph for a protocol specified by the CFSM model. 

The major achievement of the thesis was the increase in the number of machines in the 
protocol specification. The previous work in [Ref. 8] was extended to allow two to eight 
machines in the specification. The run time and memory efficiency of the program were 
improved to allow the analysis of larger and more complex protocols. The user interface of 
the program has also been improved. 

The system state analysis reduces the size of the state space greatly, but in some cases, 
when the system state analysis is not sufficient for the protocol analysis, the global 
reachability analysis is required. The Smart Mushroom program generates the system state 
graph. The Simple and Big Mushroom programs are based on exhaustive analysis, and 
generate the full global reachability graph. The main problem in these programs is the 
“state space explosion.” As stated in [Ref. 16], an estimate for the maximum size of the 
State space that can be reached for a full reachability analysis is about 10° states. This is in 
agreement with the maximum number of states generated so far using the Big Mushroom 
program (153565 = 1.53 x 10° states were generated for the example protocol described 1n 
Chapter V). 

The size of the state space which can be generated is directly proportional with the 
memory available on the computer. For a full reachability graph, an equation can be derived 


for determining the maximum number of states: where, 
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M: Memory available on the computer (bytes). 
S: Amount of memory for storing one system state (bytes). 
O: Overhead (memory for storing the program and other data structures etc.). 


Then, the number of states that can be analyzed is: N = (M-O)/S. Usually O << M, and 
O can be ignored. For instance, for the LAP-B protocol analysis described in Chapter V, 
M=80 MBytes, S = 516 bytes, and N = 162596. In this analysis, only 153565 states were 
generated by the Simple Mushroom program. The difference between these numbers is due 
to the exclusion of the overhead in the calculation. Unfortunately memory was not enough 
for a 100% coverage in this analysis. 

In spite of the state space explosion, the programs developed in this thesis are still very 
helpful for analyzing protocols. A full reachability analysis may be feasible by keeping the 
protocol specifications as simple as possible, and using certain assumptions about the 
behavior of the protocol to reduce the size of the state space. For example, the size of the 
message queue is very important for the CFSM model. A smaller message queue decreases 
S and allows to analyze larger protocols. A specification with less number of processes 
increases the number of states that can be analyzed. Modeling the machines with less 
number of states is also helpful. For the SCM model, N can be increased by keeping the 
size of global and local variables as small as possible. A simpler protocol specification also 
reduces the run time. 

But, in some cases, even after some simplifications, a full reachability analysis is 
impossible. Fortunately, still some solutions exist for the automated protocol analysis. One 
method which is described in [Ref. 16] is using the supertrace algorithm. In the Mushroom 
program, hashing is uSed to increase the search efficiency. In the supertrace algorithm a 
very large hash size (almost the whole available memory) is used, and system states are not 
stored. This method is explained in [Ref. 16]. For example, with a 10 MB of memory, 80 


million states can be generated using this method as described in [Ref. 16]. Of course this 
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efficiency does not come free. Due to hash conflicts, this method cannot guarantee 100% 
coverage, but as a partial search technique, this algorithm is very powerful. 

This thesis opens several areas for further work. One improvement would be to 
increase the size of the system space that can be analyzed. Adding the supertrace option to 
the Mushroom program can be a good area for further work. 

The number of reachable states 1s usually very large and 1t would be awkward to print 
out or browse through the listing. Another improvement would be to store the reachability 
analysis results in the form of a database, and provide a query language that allows the user 
to easily analyze the results of the analysis as suggested in [Ref. 17] (for instance, querying 
the error sequences and certain paths between any two States etc.). 

Finally, another research possibility would be to add a simulator module to the 
Mushroom. For protocols with a large size of state space, where full reachability analysis 
is infeasible, simulation would be useful. 

The Ada programming language was used to develop Mushroom. A\|so, specification 
of the SCM model must be entered to the program using Ada subprograms and packages. 
Ada 1s a well-structured programming language, and supports the modular development of 
programs. Also, exception handling, generic units, and tasking are important features of 
Ada. These features were helpful in developing the program. The well-structured property 
of the programming language makes the input of the specification easier. The tasking 
mechanism of Ada would be very helpful to develop a simulator module for the program. 

The Simple Mushroom program is used as a teaching aid in an introductory 
communications network course at Naval Postgraduate School. This can be another area 
where student can use the tool as an aid in learning the protocol design and analysis. 

The mushroom program is a tool which it is hoped that it will greatly improve the 


design and analysis of protocols specified by the SCM and CFSM models. Especially, this 
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program may help to solve some questions concerning the SCM model which have not been 


completely answered. 


13 


APPENDIX A (LAP-B Protocol Information Transfer Phase) 


FSM Text File 


start 
number of machines 6 
machine 1 
state 1 
trans +A0 
trans -DO 
state 2 
trans +A0 
trans -Dl 
trans +Al 
state 3 
trans +A0 
trans +Al 
trans +A2 
state 4 
trans +Al 
trans -Dl 
stste 5 
trans +Al 
trans +A2 
trens -D2 
state 6 
trans +Al 
trans +A0 
trans +A2 
state 7 
trans +A2 
trans -D2 
state 8 
trans +A2 
trans +A0 
trans -DO 
state 9 
trans +A2 
trans +A0 
trans +Al 
machine 2 
state 1 
trans +ENQ 4 3 
trans +DO 2 3 
state 2 

trans +ENQ 5 3 
trans +Dl 3 3 
state 3 

trans +ENQ 6 3 
trans +D2 1 3 
state 4 

trans -A0O 1 3 
state 5 

trans -Al 2 3 
state 6 

trans -A2 3 3 
machine 3 
state 1 

trens +DO 21 
trans +Dl1l 3 1 
trans +D2 41 
trans +I00 20 
trans +110 21 
trans +120 22 
trans +101 23 
trans +111 24 
trans +I21 25 
trens +102 26 
trans +112 27 
trans +I22 28 
stste 2 

trans -ENQ 8 2 
state 3 

trans -ENQ 9 2 
stste 4 

trans -ENQ 10 2 
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state 8 

trans +A0O 11 2 
trans +Al 12 2 
trans +A2 13 2 
state 9 

trans +A0O 14 2 
trans +Al 15 2 
trans +A2 16 2 
state 10 

trans +A0O 17 2 
trans +Al 18 2 
trans +A2 19 2 
state 11 

trans -I00 1 4 
state 12 

trans -I01 1 4 
state 13 

trans -I02 1 4 
state 14 

trans -I10 1 4 
state 15 

trans -I11 1 4 
state 16 

trans -I12 1 4 
state 17 

trans -I20 1 4 
state 18 

trans -I21 1 4 
state 19 

trans -I22 1 4 
state 20 

trans -DO 29 2 
state 21 

trans -Dl 29 2 
state 22 

trans -D2 29 2 
state 23 

trans -DO 30 2 
state 24 

trans -Dl 30 2 
state 25 

trans -D2 30 2 
state 26 

trans -DO 31 2 
state 27 . 
trans -Dl 31 2 
state 28 

trans -D2 31 2 
state 29 

trans -A0O 11 
state 30 

trans -Al 11 
state 31 

trans -A2 11 
machine 4 

state 1 

trans +DO 2 § 
trans +Dl 3 5 
trans +D2 4 5 
trans +I00 20 3 
trans +110 21 3 
trans +120 22 3 
trans +101 23 3 
trans +I11 24 3 
trans +I21 25 3 
trans +102 26 3 
trans +112 27 3 
trans +I22 28 3 
state 2 

trans -ENQ 8 6 
state 3 

trans -ENQ 9 6 
state 4 

trans -ENQ 10 6 
state 8 

trans +AO 11 6 
trans +Al 12 6 
trans +A2 13 6 


i> 


state 9 


trans +A0 14 
trane +Al 15 
trans +A2 16 
state 10 
trans +A0 17 
trane +Al 18 
trans +A2 19 
state 11 
trans -I00 1 
state 12 
trans -I01 1 
state 13 
trans -I02 1 
state 14 
state 15 
trans -I11 1 
state 16 
trans -I12 1 
state 17 
trans ~I20 1 
trans -1I10 1 


trane -DO 9 4 


state 18 


trans -I21 1 


state 19 


trans -I22 1 


state 20 
trans -bDO 
state 21 
trans -D1l 
state 22 
trans -D2 
state 23 
trane -DO 
state 24 
trane -D1l 
state 25 
trans -D2 
state 26 
trans -DO 
state 27 
trans -D1 
state 28 
trans -D2 
state 29 
trans -A0 
state 30 
trans -Al 
state 31 
trans -A2 
machine 5 
state 1 
trans +A0 
trans -DO 
state 2 
trans +A0 
trans -Dl 
trans +Al 
state 3 
trans +A0 
trans +Al 
trans +A2 
state 4 
trans +Al 
trans -Dl 
state 5 
trans +Al 
trans +A2 
trans -D2 
state 6 
trans +Al 
trane +A0 
trans +A2 
state 7 
trans +A2 
trans -D2 


30 


30 


30 


31 


31 


31 
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state 8 
trans +A2 
trans +A0 
trans -DO 
state 9 
trans +A2 9 
trans +A0 2 
trans +Al 4 
machine 6 
state 1 
trans +ENQ 4 4 

trans +DO 2 4 

state 2 

trans +ENQ 5 4 

trans +Dl 3 4 

state 3 

trans +ENQ 6 4 

trans +D2 1 4 

state 4 

trans -AO 1 4 

state 5 

trans -Al 2 4 

state 6 

trans -A2 3 4 

initial state 111111 
finish 
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Program Output 


REACHABILITY ANALYSIS of : fad.fsm 
SPECIFICATION 


| Machine 1 State Transitions ‘ 
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i Machine 2 State Transitions | 


— oe a ee oe ee em om om om om om © ee om om ee oe oe = om oe ee ee ee oe @ om om oe oe om om oe = om om oe ee ee es ee es 


| Machine 6 State Transitions | 


—_ = am am ae oe a om am om am we oe © om © © om ww ee = oe oe ww oe oe om om om oe ee we we wwe SS SS Ss 


REACHABILITY GRAPH 


1[ 1,E,E,E,E,E, 1,F,E,E,E,E, 1,E,E,E,E,E, 1,E,E,E,E,E, 1,E,E,E,E,E, 1,E,E,E,E,E} 
-DO 3 [2,E,D0,EF,E,E, 1,E, E,E,E,E, 1,E,E,E,E,E, 1,£,E,E,E,E, 1,E,E,E,E,E,1,£,E,E,E,E] 
-DO 4 [1,E,E,E,E,E, 1,E,E,E,E,E, 1,E,E,E,E,E, 1,E,E,E,E,E, 2,£,E,E,D0,E, 1,£,E,E,E,E) 


2 [ 2,E,D0 ,E,E,E, 1,E,E,F,E,E, 1,E,E,E,E,E, 1,E,E,E,E,E, 1,E,E,E,E,E, 1,E,E,E,E,E] 
-D1 3 [3,E,D0 D1 ,E,E,E, 1,E,E,E,E,E, 1,E,F,E,E,E, 1,E,E,E,E,E, 1,E,E,E,E,E, 1,F,E,E,E,F) 
+D0 1 | 2,E,E,E,E,E, 1,E,E,E,E,E, 2,E,E,E,E,E, 1,E,E,E,E,E, 1,E,E,E,E,E, 1,E,E,E,E,E} 
-DO 4 [2,E,D0,E,E,E, 1,E,E,E,E,E, 1,E,E,E,E,E, 1,E,E,E,E,E, 2,E,E,F,D0,E, 1,E,E,E,E,E} 


3[1,E,E,E,E,F, 1,E,E,E,E,E, 1,E,E,E,E,E, 1,E,E,E,E,E, 2,E,E,E,D0,E, 1,E,E,E,E,E} 
-DO 3 [2,E,D0,E,E,E, 1,E,E,E,E,E, 1,E,E,E,E,E, 1,F,E,E,E,E, 2,F,E,E,D0,E, 1,E,E,E,E,E] 
+D0 5 [ 1,E,E,E,E,E, 1,E,E,E,E,E, 1,£,E,F,E,E, 2,E,E,E,E,E, 2,F,£,E,E,E, 1,E,E,E,E,E} 
-D1 4 [(1,E,E,E,E,F, 1,E,E,E,E,E, 1,E,E,E,E,E, 1,E,E,E,E,E,3,£,E,E,D0D1 ,E,1,E,E,E,E,E} 


4[3,E,D0 D1 ,E,E,E, 1,E,E,E,E,E, 1,E,E,E,E,E, 1,E,E,E,E,E, 1,E£,F,E,E,E, 1,E,F,E,E,E} 
+D0 1 [ 3,E,D1,E,E,E, 1,E,E,E,E,E, 2,E,£,E,E,E, 1,E,E,E,E,E, 1,E,E,E,E,E, 1,E,E,F,E,E] 
-DO 4 [3,E,D0 D1 ,E,E,E, 1,E,F,E,E,E, 1,E,E,E,E,E, 1,F,E,E,E,E, 2,E,E,E,D0,E, 1,F,E,E,E,E} 


5 [ 2,E,E,E,E,E, 1,E,E,E,E,E, 2,E,E,E,E,E, 1,£,F,E,E,E, 1,E,E,E,E,E, 1,E,E,E,E,E] 
-D1 3 [3,E,D1 ,E,E,E, 1,E,E,E,E,E, 2,E,E,E,E,E, 1,E,E,E,E,E, 1,E,E,E,E,E, 1,E,E,E,E,E) 
-ENQ 2 [2,E,E,E,E,E, 1,E,E,E,E,E, 8,E,ENQ ,E,E,E, 1,F,E,E,E,E, 1,E,E,E,E,E, 1,E,E,E,E,E] 
-DO 4 [ 2,E,E,E,E,F, 1,E,E,E,E,E, 2,F,E,E,E,E, 1,E,E,E,E,E, 2,£,E,E,DO0,E, 1,£,E,E,E, FE} 
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é. 


AWM 


17034 3,E,E,E,E,E, 3,E,E,E,E,E, 1,E,E,E,E,E, 1,E,E,E,E,E, 3,E,E,E,E,E, 3,E,E,E,E,F) 
$000000000DEA DLOCK Condition ** 444 eseessees 


17035 [ 6,E,E,E,E,E, 3,E,E,E,E,E, 30,E,E, 111 121,E,E, 1,E,E,E,E,E, 3,E,E,E,E,E, 2,E,E,E,E,E) 
-A1l 1[6,E,E,E,E,E, 3,E,E,E,E,E, 1,A1,E,111121,E,E, 1,E,E,E,E,E, 3,E,E,E,F,E,2,E,E,E,E,E] 17034 


73391... 


SUMMARY OF REACHABILTY ANALYSIS (ANALYSIS COMPLETED) 


Total number of states generated : 73391 
Number of states analyzed : 73391 
number of deadlocks : 1 

number of unspecified receptions : 0 
maximum message queue size : 6 
channel overflow : NONE 


UNEXECUTED TRANSITIONS 
oee*NONE*ee* 


ie 


start 


number of machines 2 


machine 1 
state 0 

trans end data 
state 1 

trans rcv_ack0 
trans snd data 
state 2 

trans rev_ack0 
trans rev_ackl 
trans end data 
state 3 

trans rcv_ack0 
trans rev_ackl 
trans rev_ack2 
trans end data 
state 4 

trans rcv_ack0 
trans rev_ackl 
trans rev_ack2 
trans rcv_ack3 
trans end data 
state 5 

trane rev_ack0 
trans rev_ackl 
trans rev_ack2 
trans rev_ack3 
trans rev_ack4 
trans end data 
state 6 

trans rev_ack0 
trane rev_ackl 
trans rev_ack2 
trans rev_ack3 
trans rev_ack4 
trans rev_ack5 
trans snd data 
state 7 

trans rcv_ack0 
trans rcv _ackl 
trans rev_ack2 
trane rcv_ack3 
trans rcev_ack4 
trans rev_ack5 
trans rev_ack6 
trans send data 
state 8 

trans rev ack0O 


trans rew_ackl 
trans rev_ack2 
trans rev_ack3 
trans rcev_ack4 
trans rcev_ack5 
trans rcv_ack6 
trans rcv_ack?7 
trans end data 
state 9 

trans rcv_ack0 
trans rcev_ackl 
trane rev_ack2 
trans rev_ack3 
trans rev_ack4 
trans rev ack5 
trans rcv_acké 
trans rev_ack?7 


trans rev_ack8 
trans snd_ data 
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APPENDIX B (Go back N Window Size of 10) 


FSM Text File 


80 


state 
trans 
trans 
trans 
trans 
trans 
trans 
trans 
trans 
trans 
trans 


10 

rev ackO 
rev_ackl 
rev_ack2 
rev_ack3 
rcv_ack4 
rev_ack5 
rev ack6 
rev ack? 
rev_ack8 
rev ack9 


OBG-IAWUaA WAH © 


machine 2 


state 
trans 
state 
trans 
trans 
state 
trans 
trans 
state 
trans 
trans 
state 
trans 
trans 
state 
trans 
trans 
state 
trans 
trans 
state 
trans 
trans 
state 
trans 
trans 
state 
trans 
trans 
state 
trans 


0 

rcv_data 1 
1 

rev_ data 2 
snd ack 0 
2 

rev_ data 3 
snd_ack 0 
3 

rev_data 4 
snd_ack 0 
4 

rcv_data 5 
end_ack 0 
5 

rcv_data 6 
snd ack 0 
6 

rcv_data 7 
and ack 0 
= 

rcv data 8 
snd_ack 0 
8 

rcv_ data 9 
snd_ack 0 
9 

rcv_data 10 
snd_ack 0 
10 

snd ack 0 


initial state 0 0 
finish 
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Variable Definitions 


with TEXT I0; use TEXT 10; 
package definitions is 
num_ of machines : constant := 2; 
type scm transition type is 
(and_data,rcv_data,rcv_ack0, rcv_ackl,rcv_ack2,rcv_ack3,rcv_ack4, 
rev_ack5,rcv_ack6, rcv_ack7,rcv_ack8,rcv_ack9, snd_ack, unused) ; 


type buffer type is (d0,d1,da2,d3,d4,d5,d6,dad7,da8,d9,e); 
package buff_enum_io is new enumeration io (buffer type) ; 
use buff _enum_io; 

type buffer array type is array(1..10) of buffer type; 

type seq array type is array(1..10) of integer range -1..10; 


type machinel state type is 


record 
Sdata :buffer_array type := (d0,d1,d2,d3,d4,d5,d6,d7,d8,d9) ; 
seq >: integer range 0..10 := 0; 
i :integer range 1..10 := 1; 


end record; 
type dummy type is range 1..255; 


type machine2 state type is 
record 
Rdata:buffer type := e; 
exp ;integer range 0..10 
:integer range 1..10 
end record; 
type machine3 state type is 
record 
dummy : dummy type; 
end record; 


H It 
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type machine4 state type is 
record 
dumny : dummy type; 
end record; 


type machine5 state type is 
record 
dummy : dummy type; 
end record; 


type machine6 state type is 
record 
dummy : dummy type; 
end record; 


type machine’ state type is 
record 
dummy : dummy type; 
end record; 


type machine8 state type is 
record 
dummy : dummy type; 
end record; 


type global variable type is 


record 
DATA : buffer array type = (e,e,¢,¢,@,¢,¢@,e,@,@); 
SEQ > seq array type <= (-1,-1,-1,-1,-1,-1,71,-1,-1,-1); 
ACK >: integer range -1..10 := -1; 


end record; 


end definitions; 
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Predicate-action Table 


separate (main) 
procedure Analyze Predicates Machinel (local : machinel_ state type; 
GLOBAL: global _vwariable type; 
es : natural; 
w :in out transition stack package.stack) is 


templ : integer := GLOBAL.ACK + 0; 

temp2 : integer := (GLOBAL.ACK + 1) mod 11; 
temp3 =: integer := (GLOBAL.ACK + 2) mod 11; 
temp4 : integer := (GLOBAL.ACK + 3) mod 11; 
temp5 : integer := (GLOBAL.ACK + 4) mod 11; 
temp6 : integer := (GLOBAL.ACK + 5) mod 11; 
temp7 : integer := (GLOBAL.ACK + 6) mod 11; 
temp8 : integer := (GLOBAL.ACK + 7) mod 11; 
temp9 : integer := (GLOBAL.ACK + 8) mod 11; 
templO : integer := (GLOBAL.ACK + 9) mod 11; 


bagin 
case s is 
when 0 => 
if ((GLOBAL.DATA(local.i) = E) and (GLOBAL.S8EQ(local.i) = -1)) then 
Push (w, end data) ; 
end if; 
when 1 => 
if ((GLOBAL.DATA(local.i) = EB) and (GLOBAL.SEQ(local.i) = -1)) then 
Push (w,snd_ data) ; 
end if; 


if ((templ = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w, rcv_ack0) ; 
end if; 
when 2 => 
if ((GLOBAL.DATA(local.i) = EB) and (GLOBAL.SEQ(local.i) = -l1)) then 
Push (w, snd data) ; 
end if; 


if ((templ = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w, rcv_ack0O) ; 

end if; 

if ((temp2 = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w, rcv_ack1) ; 

end if; 

when 3 => 

if ( (GLOBAL. DATA(local.i) = E) and (GLOBAL.SEQ(local.i) = -1)) then 
Push (w,snd_ data) ; 

end if; 


if ((templ = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w, rcv_ack0O) ; 

end if; 

if ((temp2 = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w, rcv_ackl) ; 

end if; 

if ((temp3 = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w,rcv_ack2) ; 

end if; 

when 4 => 

if ((GLOBAL.DATA(local.i) = EB) and (GLOBAL.SEQ(local.i) = -1)) then 
Push (w,snd data) ; 

end if; 


if ((templ = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w, rcv_ack0O); 

end if; 

if ((temp2 = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w,rcv_ack1l) ; 

end if; 
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if ((temp3 = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w, rcw_ack2) ; 

end if; 

if ((temp4 = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w, rcv_ack3) ; 

end if; 

when 5 => 

if ((GLOBAL.DATA(local.i) = £E) and (GLOBAL.8EQ(local.4) = -1)) then 
Push (w, snd_ data) ; 

end if; 


if ((templ = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w, rcw_ack0) ; 

end if; 

4f ((temp2 = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w, rcw_ack1l) ; 

end if; 

4f ((temp3 = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w, rcv_ack2) ; 

end if; 

if ((temp4 = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w, rcw_ack3) ; 

end if; 


4f ((temp5 = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w,rcv_ack4) ; 
end if; 
when 6 => 
if ((GLOBAL.DATA(local.i) = £) and (GLOBAL.8EQ(local.i) = -1)) then 
Push (w,end data) ; 
end if; = 


4f ((templ = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w, rev_ack0O) ; 

end if; 

if ((temp2 = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w, rcv_ackl) ; 

end if; 

if ((temp3 = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w,rcv_ack2) ; 

end if; 

4f ((temp4 = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w, rcv_ack3) ; 

end if; 


££ ((temp5 = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w, rcv_ack4) ; 

end if; 

4f ((temp6 = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w, rcw_ack5) ; 

end if; 

when 7 = 

4f ((GLOBAL.DATA(local.i) = £) and (GLOBAL.SEQ(local.i) = -1)) then 
Push (w, snd_data) ; 

end if; 


££ ((templ = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w, rcv_ack0O) ; 

end if; 

4f ((temp2 = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w, rcv_ack1) ; 

end if; 

4f ((temp3 = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w, rcv_ack2) ; 

end if; 

if ((temp4 = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w, rcv_ack3) ; 

end if; 


4f ((temp5 = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w,rcv_ack4) ; 
end if; 
if ((temp6 = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w, rcv_ack5) ; 
end if; 
4f ((temp7 = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w, rcv_ack6) ; 
end if; 
when 8 => 


4f ((GLOBAL.DATA(local.i) = £) and (GLOBAL.8EQ(local.i) = -1)) then 
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Push (w, snd_data) ; 
end if; 


if ((templ = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w, rcv_ack0) ; 

end if; 

if ((temp2 = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w, rcv_ackl) ; 

end if; 

if ((temp3 = local.seq) and (GLOBAL.ACK /= -l)) then 
Push (w, Fcv_ack2) ; 

end if; 

if ((temp4 = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w, Fcv_ack3) ; 

end if; 


if ((tempS = local.szeq) and (GLOBAL.ACK /= -1)) then 
Push (w, rcv_ack4) ; 

end if; 

if ((temp6 = local.seq) and (GLOBAL.ACK /= -1l)) then 
Push (w, rcw_ack5) ; 

end if; 

if ((temp7 = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w, rcvw_ack6) ; 

end if; 

if ((temp8 = local.seq) and (GLOBAL.ACK /= -1l)) then 
Push (w, rcv_ack7) ; 

end if; 


when 9 => 
if ((GLOBAL.DATA(local.i) = £) and (GLOBAL.S8EQ(local.i) = -1)) then 
Push (w,snd_data) ; 
end if; 


if ((templ = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w, rcv_ack0O) ; 

end if; 

if ((temp2 = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w,rcv_ackl) ; 

end if; 

if ((temp3 = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w, rcv_ack2) ; 

end if; 

if ((temp4 = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w, rcv_ack3) ; 

end if; 


if ((temp5 = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w, rcvw_ack4) ; 

end if; 

if ((temp6 = local.seq) and (GLOBAL.ACK /= -1l)) then 
Push (w, rcv_ack5) ; 

end if; 

if ((temp7 = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w, rcv_ack6) ; 

end if; 

if ((temp8 = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w,rcv_ack7) ; 

end if; 

if ((temp9 = local.seq) and (GLOBAL.ACK /= -1l)) then 
Push (w, rcv_ack§8) ; 

end if; 

if ((temp10 = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w, rcev_ack9) ; 

end if; 


when 10 => 


if ((templ = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w,rcv ackO); 

end if; az 

if ((temp2 = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w, rcv_ack1) ; 

end if; 

if ((temp3 = local.seq) and (GLOBAL.ACK /#= -1)) then 
Push (w, Fow_ack2) ; 

end if; 

if ((temp4é = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w, rcv_ack3) ; 

end if; 

if ((temp5 = local.seq) and (GLOBAL.ACK /#= -1)) then 
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Push (w, rcv_ack4) ; 
end if; 
if ((temp6 = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w, rcv_ack5) ; 
end if; 
if ((temp7 = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w,rcv_ack6) ; 
end if; 
if ((temp8 = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w, rcv_ack?7) ; 
end if; 
if ((temp9 = local.seq) and (GLOBAL.ACK /#= -1)) then 
Push (w, rcv_ack8) ; 
end if; 
if ((templO = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (w, rcv_ack9) ; 
end if; 
when others => 
null; 
end case; 
end Analyze_Predicates_Machinel; 
seperate (main) 
procedure Analyse Predicates Machine2 (local : machine2_ state type; 
GLOBAL: global wariable type; 
es: natural; 
w :in out transition stack package.stack) is 
begin 
case s is 
when 0 => 
if ((GLOBAL.DATA(local.4j)/=E) and (GLOBAL.SEQ(local.j) = local.exp)) then 
Push (w,rcv_data) ; 
end if; 
when 1LI2/3/4/5/6}7/8|9 => 
if (GLOBAL.DATA (local.4j)=Z) then 
Push (w, snd_ack) ; 
end if; 
if ((GLOBAL.DATA(local.4j)/=#E) and (GLOBAL.SEQ(local.4j) = local.exp)) then 
Push (w,rcw_ data) ; 
end if; 
when 10 => 
if (GLOBAL.DATA (local.j)=sE) then 
Push (w,end_ack) ; 
end if; 


when others => 
null; 
end case; 
end Analyze Predicates Machine2; 
separate (main) 
procedure Analyze Predicates Machine3 (local : machine} state _type; 
GLOBAL: global _ variable type; 
s ; natural; 
w :; in out transition stack package.stack) is 


begin 
null; 

end Analyze Predicates Machine3; 

separate (main) 

procedure Analyze Predicates Machine4(local : machine4 state type; 

= ~ GLOBAL: global_vwariable type; 

s : natural; 
w :; in out transition stack package.stack) is 


begin 
null; 
end Analyze Predicates Machine4; 
separate (main) 
procedure Analyze Predicates MachineS (local : machine5 state type; 
GLOBAL: global variable type; 
8@ : natural; 
w : in out transition stack package.stack) is 


begin 
null; 
end Analyze Predicates MachineS; 
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separate (main) 
procedure Analyze_Predicates_ Machine6(local : machine6 state type; 
GLOBAL: global | variable _ type; 
s : natural; 
w : in out transition stack package.stack) is 


begin 
null; 
end Analyze Predicates Machine6; 


separate (main) 

procedure Analyze Predicates Machine? (local : machine7 state type; 
GLOBAL: global_variable type; 
s : natural; 
wi: in out 

transition stack package.stack) is 


begin 
null; 
end Analyze Predicates Machine7; 


separate (main) 
procedure Analyse Predicates Machine8 (local : machine8 state _type; 
GLOBAL: global _wariable type; 
8s : natural; 
w : in out transition stack package.stack) is 


begin 
null; 
end Analyze Predicates Machine8; 


separate (main) 

procedure Action(in system state : in out Gstate_ record type; 
in_ “transition : in out scm transition type; 
out_system_state : in out Gstate record type) is 


begin 


case (in transition) is 
when end | data => 


out system _state.GLOBAL VARIABLES .DATA(in system_state.machinel state.i) := 
in “system state. machine _state.Sdata (in _systen_ state.machinel _state. oN 
out. _system state .GLOBAL | VARIABLES .SEQ (in. _system state. machinel | _state.i) := 
in_ system state. machinel _state.seq; 
out system state.machinel state.i := (in _system_state.machinel state.i mod 10) + 1; 
out _systen_ “state. machinel | “state.seq := (C(in_ system state. machinel__ state.seq) + 1)mod 11); 


when rev_ackO | rcv_ackl | rev_ack2 | rcev_ack3 | rcev_acké4 
| rev_ackS |rcv_ack6 | rcv_ack?7 [rev ack8|rev : ack9 => 


out system state.GLOBAL VARIABLES.ACK := -l> 
when snd_ack => 


out_system_ state.GLOBAL VARIABLES.ACK := in system state.machine2 state.exp; 
out system state. machine2_ state.Rdata := e; 


when rev_data => 


out_system_ state.machine2 state.Rdata := 
in 1 | systen_ state. GLOBAL ' VARIABLES .DATA(in system _state.machine2 state. }) ; 
out system state. GLOBAL _ VARIABLES. DATA (in _ system state. machine2 state. 3) := E; 
out_system_ state. GLOBAL _ VARIABLES.SEQ (in| _ system state. machine2 state.j) := -1; 
out _systen state. machine2_ state. 4 := (in _ system state. machine? | state.j mod 10) + 1; 
out system state. machine2_state.exp >= (((in_system_ state.machine2 _state.exp) + 1)mod 11); 
when others => 
put line("There is an error in the Action procedure”) ; 
end case: 
end Action; 
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Output Format 


separate (main) 
procedure output Gtuple(tuple : in out Gstate_record type) is 
begin 
if print_header then 
new line (2) ; 
set_col(7); 
put_line(" ml(seq,i,Sdata), m2(exp,4,Rdata), (DATA, SEQ, ACK) "); 
print header := false; 


else 
put (" {("“ « integer ' image (tuple.machine state(1)) Ves 
put (" : de 
put (tuple.machinel state.seq, width => 1); 
put(" , "); 
put (tuple.machinel state.i, width => 1); 
put (" ¢ ch 


buff_enum_io.put (tuple.machinel state.Sdata(l),set => upper case) ; 
put(" ," & integer'image(tuple.machine state(2)) ); 


put hg ; | . 

put (tuple.machine2 state.exp, width => 1); 
put c" 7 i © 

put (tuple.machine2_state.j, width => 1); 
put i ‘ ww) ; 


buff_enum_io.put (tuple.machine2 state.Rdata, set => upper case) ; 
for i in 1..10 loop 
put(" , "); 
buff enum_io.put (tuple.GLOBAL_ VARIABLES .DATA(i),set => upper case) ; 
Poe aae 
put (tuple.GLOBAL_VARIABLES .SEQ (i) , width=>1) ; 
end loop; 
put (" a ee 
put (tuple.GLOBAL_ VARIABLES .ACK, width => 1); 
put(" J"); 
end if; 


end output Gtuple; 
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Program Output (System State Analysis) 


REACHABILITY ANALYSIS of :gbn_10.scm 
SPECIFICATION 


|} From | To | Transition (| 
| snd _data 
| xrev_ackO 
| snd data 
} rev acko 
| xrev_ackl 
| snd_data 
| xrev_acko 
| xev_ackl 
| rev ack2 
| snd data 
| rev_ack0 
| xrev_ackl 
| xrev_ack2 
| xrev_ack3 
| snd_data 
| xrev_ack0 
| xrev_ackl 
| rev ack2 
| rev ack3 
| rev_ack4 
| snd_data 
| xrev_ackO 
| xrev_ackl 
| rev ack2 
| rev ack3 
| rev_ack4 
| rev ack5 
| snd data 
| xrev_ackO 
| xrev_ ackl 
| xrev_ack2 
| xrev_ack3 
| xYev_ack4 
| rev ackS 
| rev_ack6 
| snd_data 
| xrev_acko 
| xrev_ackl 
| xrev_ack2 
| xrev_ack3 
| rev_ack4 
| xrev_ackS 
| xrev_acké 
| xev_ack?7 
| snd data 
| rev_ack0 
| xrev_ackl 
|} rev ack2 
| rev_ack3 
| rev_ack4 
| xrev_ackS 
| rev _ack6 
|} rev ack? 
| rev_acks 
| end data 
| rev acko 
| xev_ackl 
| xrev_ack2 
| xrev_ack3 
| xrev_ack4 
|} xev_acksS 
| xev_ack6 
|} xev_ack7 
| xrev_ack8& 
| xrev_ack9 


| Machine 2 State Transitions | 


10 


11 


12 


13 


14 


15 


16 


17 


18 


19 


rev_data 
rev data 
and_ack 
rev_data 
snd_ack 
rev_data 
snd_ack 
rev_data 
snd_ack 
rev_data 
snd_ ack 
rev_data 
snd _ack 
rev_data 
snd_ack 
rev data 
snd_ack 
rcv_data 
snd ack 
snd_ack 


REACHABILITY GRAPH 


] 
] 


) 


0 
0 


0 


snd data 
snd_ data 
rev_data 
snd_ data 
rev_ data 
snd data 
end_ack 

and data 
rev_data 
and _ data 
rev _ data 
rev_ack0 
snd_data 
snd _ data 
rev_data 
snd data 
rev_data 
snd data 
and _ack 

rev_ackl 
snd_ data 
rev_data 
snd data 
rev_ data 
snd_data 
rev_data 
snd_ data 
rev_data 
rev_ack0 
snd data 
rev_ack2 
snd_data 
rev_data 
rev_ackl 
snd_data 
and ack 

snd data 
rev data 
snd data 
rev_data 
snd _data 
rev _ data 
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aaa" 


20 


21 


22 


23 


24 
25 
26 
27 
28 


29 


30 


31 


32 


33 


34 
35 
36 
37 
38 


39 


40 


41 


42 


43 


44 


45 
46 
47 
48 


49 


ND 


Ww 


snd data 
snd_ ack 

rev_ackl 
snd _ data 
rcv data 
rev_ack3 
snd data 
rev data 
rev_ack2 
snd data 
rcv_data 
snd data 
rev_data 
snd _ data 
rcv_data 
snd_data 
rcv_data 
snd_data 
rcv_data 
rcv_ackO 
snd_data 
rev_ack2 
snd_data 
rev data 
rev_ack1 
snd _data 
snd_ack 

rev_ack4 
snd _ data 
rev_data 
rev_ack3 
snd _data 
rcv_data 
rev_ack2 
and data 
and_ack 

snd data 
rcv_data 
snd _data 
rcv_data 
sand data 
rcv data 
and data 
rev data 
snd_data 
snd_ack 

rev_ackl 
snd data 
rev_data 
rev_ack3 
snd data 
rcv_data 
rcev_ack2 
snd data 
rev_data 
rev_ack5 
snd data 
rcv_data 
rev_ack4 
and data 
rev data 
rev_ack3 
snd _ data 
rev_data 
and data 
rcv_data 
snd _ data 
rev_data 
snd_data 
rev_data 
snd_data 
rev_ data 
snd_ data 


2) 


50 


Si 


52 


53 


54 


55 


56 


a7 


58 


59 


60 


61 


62 


63 


64 


65 


66 


67 


68 


69 


70 


71 


72 


73 


74 


75 


76 
77 


( 5, 


(10, 
[ 9, 


rev_data 
rev_ack0 
snd _ data 
rev_ack2 
snd _ data 
rev_data 
rev_ackl 
snd_data 
snd ack 

rev_ack4 
snd_data 
rev_data 
rev_ack3 
snd data 
rev_ data 
rev_ack2 
snd data 
snd_ack 

rev_ack6 
snd_data 
rev_data 
rev_ack5 
snd_data 
rev_data 
rev_ack4 
snd data 
rev data 
rev_ack3 
snd data 
snd_ack 

rev data 
snd data 
rev_data 
snd_data 
rev_data 
snd data 
rev_data 
snd data 
rcev_data 
snd_data 
snd ack 

rev_ackl 
snd _ data 
rev_data 
rev_ack3 
snd data 
rev_data 
rev_ack2 
snd _ data 
rev_data 
rev_ackS 
snd_data 
rev data 
rev_ack4 
snd data 
rev data 
rev ack3 
snd data 
rev_data 
rev_ack?7 
snd data 
rev_data 
rev_acké6 
snd data 
rev_data 
rev_ack5 
snd data 
rev data 
rev ack4 
snd data 
rev_ data 
rev data 
snd data 
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78 
719 
80 
81 


82 


83 


84 


85 


86 


87 


89 


90 


91 


92 


93 


94 


95 


96 


98 
99 
100 


101 


102 


103 


104 


105 


rcev_data 
snd data 
rev_ data 
snd data 
rev_data 
snd_data 
rev_data 
rev_ack0 
snd_data 
rev_ack2 
snd data 
rev_data 
rev_ackl 
snd_data 
and_ack 

rev_ack4 
snd_data 
rev_data 
rev_ack3 
snd_data 
rcev_data 
rev_ack2 
snd data 
snd_ack 

rev_ack6 
snd data 
rev_data 
rev_ack5 
snd data 
rev_data 
rev_ack4 
snd data 
rcv_data 
rev_ack3 
snd_data 
snd_ack 

rev_ack8 
snd_data 
rev_data 
rev_ack7 
snd data 
rev_data 
rev_ack6 
snd data 
rev_data 
rev_ack5 
snd data 
rcv_data 
rev_ack4 
snd_data 
snd_ack 

rev_ data 
snd data 
rev data 
snd_data 
rcv_data 
snd data 
rcv_data 
snd_data 
and_ack 

rev_ackl 
snd data 
rev_data 
rev_ack3 
snd data 
rev_data 
rev_ack2 
snd data 
rev data 
rev_ack5S 
snd data 
rev data 
rev_ack4 


116 


118 
118 
119 
119 
120 


121 
122 


123 
124 


124 
125 


126 
127 
12 


20 


106 


107 


108 


109 


110 


111 


112 


113 


114 


Lis 


116 


117 


118 


119 


120 


121 


122 


123 


124 


125 


126 


127 


128 


129 


130 


131 
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[ 8, 


[10, 


[ 8, 


[10, 


[ 9, 


[ 8, 


snd _ data 
rcv_data 
rcev_ack3 
snd_data 
rcv_data 
rcv_ack7 
snd_data 
rcv_data 
rcv_ack6 
snd_data 
rcv_data 
rev_ack5 
snd_ data 
rev_data 
rcv_ack4 
snd data 
rcv data 
rev_ack9 
rcv_data 
rcv_ack8 
snd_data 
rcev_data 
rcev_ack7 
snd data 
rcv_data 
rcv_ack6 
snd_data 
rcv_data 
rcv_ack5 
snd data 
rcv_data 
rcv _ data 
snd data 
rcv_data 
snd_data 
rcv_data 
snd _data 
rev data 
rev_ack0 
snd_data 
rcev_ack2 
snd_data 
rcv_data 
rcv_ackl 
snd_data 
snd_ack 
rcv_ack4 
snd_data 
rcv _ data 
rcev_ack3 
snd _ data 
rcv_data 
rcv_ack2 
snd_data 
snd ack 
rev_ack6 
snd data 
rcv _ data 
rcv_acksS 
snd _ data 
rcv_data 
rcv ack4 
snd data 
rcv data 


rev ack3 
snd data 
snd_ack 

rcv_ack8 
rev _ data 
rcv_ack7 
snd_data 
rev data 
rev_ack6 


127 
128 


128 
129 
24 
130 
131 
25 
131 
132 
26 
132 
133 
27 
133 
134 
45 
135 


135 
136 

47 
136 
137 


137 
138 


138 
139 
140 


141 
141 
142 
142 
143 


144 


145 
146 


146 
120 


147 
148 


148 
149 


149 
120 


150 
151 


ja 
152 

19 
152 
153 


153 
120 

34 
154 


154 
is5 
36 


94 


133 


134 


135 


136 


137 


138 


139 


140 


141 


142 


143 


144 


145 


146 


147 


148 


149 


150 


151 


152 


153 


154 


155 


156 


Lo7 


158 


159 


{ 7, 


[ 6, 


(10, 


[ 9, 


[ 8, 


(10, 


{ 9, 


{ 8, 


( 7, 


(10, 


[ 9, 


snd data 
rev data 


rev_ack5 
snd_data 
rev data 
rev_ack4 
snd data 
snd_ack 

rev ack9 
rev data 
rev_ack8 
snd_data 
rev data 


rev_ack7 
snd_data 
rcv_data 
rev_ack6 
snd data 
rcv_data 
rev_ack5 
and data 
snd_ack 

rcv _ data 
snd data 
rev data 
snd data 
rcv_data 
snd_data 
snd_ack 

rev_ackl 
snd_data 
rev_data 
rev_ack3 
snd data 
recv_data 
rev_ack2 
snd data 
rev data 
rev_ack5S 
snd data 
rev_data 
rev_ack4 
snd data 
rev_data 
rev_ack3 
snd data 
rcev_data 
rev_ack7 
rcev_data 
rev_ack6 
snd data 
rev_data 
rev_ackS 
snd data 
rev_ data 
rev_ack4 
snd data 
rev data 
rev_ack8 
rev data 
rev_ack7 
snd data 
rev data 
rev_ack6 
snd data 
rev_ data 
rev_ack5 
snd data 
rev_ data 
rev_ack9 
rcv_data 
rev_ack8 
snd_data 


155 
156 

37 
156 
157 

38 
157 
120 

61 
158 


158 
159 

63 
159 
160 


160 
161 

65 
161 
120 
162 
162 
163 
163 
164 
164 
165 


166 
167 


168 
169 


169 
170 


171 
172 

12 
172 
173 

13 
173 
174 


175 

25 
175 
176 

26 
176 
177 


177 
178 
46 
179 
47 
179 
180 
48 
180 
181 
49 
181 
182 
77 
183 


183 


28 


160 
161 
162 
163 
164 


165 


166 


167 


168 


169 


170 


171 


172 


173 


174 


175 


176 


177 


178 


179 


180 


181 


182 


183 


184 


185 


186 


[ 8, 


( 7, 


(10, 


( 9, 


( 8, 


( 7, 


(10, 


[ 9, 


( 8, 


( 7, 


(10, 


[ 9, 


[ 8, 


( 7, 


(10, 


[ 9, 


( 7, 


rev data 
rev_ack7 
and data 
rcv_data 
rev_ack6é 
and _ data 
rev_data 
rev_ data 
and data 
rev_ data 
snd _data 
rev_data 
rev_ack0 
and data 
rev_ack2 
and data 
rev_data 
rev_ackl 
and _ data 
and ack 

rev ack4 
and_data 
rev_data 
rev ack3 
and data 
rev data 
rev_ack2 
snd data 
and_ ack 

rev_ack6é 
rev_data 
rev_ack5 
and data 
rev_data 
rev_ack4 
and _ data 
rev_data 
rev_ack3 
and data 
and_ack 

rev_ack7 
rcv _ data 
rev_ack6 
and data 
rev data 
rev_ack5 
snd data 
rev_data 
rev_ack4 
and data 
and ack 

rev_ack8 
rev data 
rev_ack7 
and data 
rev_data 
rev acké6 
and data 
rcv_data 
rev ackS 
and data 
snd_ack 

rev_ack9 
rev_data 
rev_ack8 
snd data 
rev data 
rev_ack7 
and data 
rev_data 
rev_ack6é 
and _ data 
and ack 


192 
165 


193 
194 


194 
195 


195 


196 


205 


165 


96 


187 
188 


189 


190 


191 


192 


193 


194 


195 


196 


197 


198 


199 


200 
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202 


203 


204 


205 


206 
207 
208 
209 


210 


211 


212 


213 


214 


215 


(10, 


[ 9, 


[ 8, 


(10, 


[ 9, 


( 8, 


(10, 


[ 9, 


( 8, 


(10, 


(10, 


[ 8, 


rcv_data 
snd_data 
rcv_data 
snd data 
snd_ack 

rev_ackl 
snd _ data 
rev_data 
rev_ack3 
snd_ data 
rcv_data 
rev_ack2 
snd data 
rev_data 
rev_ack5 
rcv_data 
rev ack4 
snd_data 
rcv_data 
rev_ack3 
snd_data 
rev data 
rev_acké 
rev data 
rev_ack5 
snd data 
rev_data 
rcev_ack4 
snd_data 
rev data 
rev ack7 
rev_data 
rev acké6 
snd data 
rcev_data 
rev_ack5S 
snd_data 
rcv_data 
rcev_ack8 
rev_data 
rev_ack7 
snd data 
rev data 
rev_ack6 
snd data 
rev_data 
rcev_ack9 
rcv_data 
rev_ack8 
snd data 
rev data 
rev_ack7 
snd_data 
rcev_data 
rcv_data 
snd data 
rev data 
rev_ack0 
snd_data 
rev_ack2 
snd_data 
rcv_data 
rev_ackl 
snd_ data 
snd_ack 

rev_ack4 
rev data 
rev_ack3 
snd_ data 
rcv_data 
rev_ack2 
snd_data 
snd_ack 


208 
208 
209 
209 
210 


211 
212 


213 
214 


214 
2i5 
11 
216 
12 
216 
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25 
219 
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219 
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220 
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rev_ack5 
rev data 
rev_ack4 
snd_ data 
rev_data 
rev_ack3 
snd_data 
snd_ack 

rev_ack6 
rev_data 
rev_ack5 
snd data 
rev_data 
rev_ack4 
snd data 
snd_ack 

rev_ack7 
rev data 
rev_ack6 
snd_data 
rcv data 
rev_ack5 
snd_data 
snd ack 

rev_ack8 
rev_data 
rev_ack?7 
snd_data 
rcv _ data 
rcev_ack6 
snd data 
snd_ack 

rev ack9 
rev data 
rev_ack8 
snd_data 
rev_data 
rev_ack?7 
snd _ data 
snd_ack 

rev_data 
snd_data 
snd ack 

rev_ackl 
snd _ data 
rcv_data 
rev_ack3 
rcv _ data 
rcv_ack2 
snd data 
rcv _ data 
rev_ack4 
rev data 
rev_ack3 
snd data 
rev_data 
rev_ack5 
rev_data 
rev_ack4 
snd data 
rcv_data 
rcev_ack6 
rev_data 
rev_ack5 
snd_ data 
rev data 
rev_ack7 
rev_data 
rcv_ack6 
snd_data 
rcv_ data 
rev ack8 
rev_ data 


247 
143 
247 
210 


98 


245 


246 
247 
248 
249 
250 


251 


252 


253 


254 


255 


256 


257 


258 


259 


260 


261 


262 


263 


264 
265 
266 
267 
268 
269 
270 
271 
272 
273 
274 
275 


276 
277 


[ 9, 6 


[10, 6 


[ 9, 7 


[10, 1 


[ 9, 2 


[10, 2 


[ 9, 3 


[10, 3 


[ 9, 4 


[10, 4 


| 


(10, 5 


[ 9, 6 


[10, 6 


[ 9, 7 


(10, 7 


[10,10 
[10, 0 


[10, 1 
[10, 2 
[10, 3 
[10, 4 
[10, 5 
[10, 6 
[10, 7 
[10, 8 


[10, 0 
foe 4 


rev_ack7 
snd_data 
rev_data 
rcv_ack9 
rev_data 
rev_ack8 
and_data 
rev_data 
rev_data 
rev_ackO 
and_data 
rev ack2 
rev data 
rev_ackl 
snd_data 
snd_ack 

rev_ack3 
rev_data 
rcev_ack2 
snd_data 
and ack 

rev_ack4 
rcv_data 
rev ack3 
snd data 
snd_ack 

rev_ack5 
rev_data 
rev ack4 
and data 
snd_ack 

rev_ack6 
rev_data 
rev_ack5 
snd_data 
snd_ack 

rev_ack?7 
rev_data 
rev_ack6 
snd_data 
snd ack 


rev_ack8 
rev_data 
rev_ack7 
and data 
and_ack 

rev_ack9 
rev_data 
rev_ack8 
snd data 
and_ack 

snd_ack 

rev ackl 
rev_ data 
rev_ack2 
rev _ data 
rev ack3 
rev data 
rev_ack4 
rev_data 
rev_ack5 
rev_data 
rev_ack6é 
rev_data 
rev_ack?7 
rev_data 
rev_ack8 
rev_data 
rev_ack9 
rev _ data 
rev_ackO 
rev_ackl 
and_ack 
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262 
263 
163 
264 
164 
264 


274 
143 


we, 


278 (10, 2] 9 rev_ack2 9 
and_ack 276 


279 (10, 3 ) 7 rev_ack3 20 
snd_ack 276 
280 (10, 4) 6 rev_ack4 38 
and_ack 276 
281 {10, 5) 5 rev_ackS 65 
snd ack 276 
282 {10, 6} 4 rev_ack6 100 


snd_ack 276 
rev_ack7 143 
snd_ack 276 
rev_ack8 189 
snd_ack 276 
rev_ack9 232 
snd_ack 276 


283 (10, 7 ) 


284 (10, 8 ) 


Y-~ ND WwW 
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SUMMARY OF REACHABILITY ANALYSIS (ANALYSIS COMPLETED) 


Number of states generated :286 
Number of states analyzed :286 
Number of deadlocks : 0 


UNEXECUTED TRANSITIONS 
keRKENONE * RARE 
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start 


number of machines 8 


machine 1 


state 
trans 
trans 
state 
trans 
state 
trans 
trans 
state 
trans 
trans 


0 
revl 1 


get _tkl 2 


1 


readyl 0 
2 
Xmitl 3 
passel 0 
3 
moreDl 2 

pass tkl 0 


machine 2 


state 
trans 
trans 
state 
trans 
state 
trans 
trans 
state 
trans 
trans 


0 


rev2 1 


get _tk2 2 


1 


ready2 0 
2 
Xmit2 3 
Ppass2 0 
3 
moreD2 2 

pass tk2 0 


machine 3 


state 
trans 
trans 
state 
trans 
state 
trans 
trans 
state 
trans 
trans 


0 
rev3 1 


get tk3 2 


1 


ready3 0 


2 


Xmit3 3 
pass3 0 


3 


moreD3 2 
pass tk3 0 


machine 4 


state 
trans 
trans 
state 
trans 
state 
trans 
trans 
state 
trans 
trans 


0 
rev4 1 


get tk4 2 


1 


ready4 0 


2 


Xmit4 3 
pass4 0 


3 


moreD4 2 
pass tk4 0 


machine 5 


state 
trans 
trans 
state 
trans 
state 
trans 
trans 
state 


0 
rev5 1 


get tk5 2 


1 


ready5 0 


2 


XmitS 3 
passs5 0 


3 


APPENDIX C ( Token Bus Protocol ) 


FSM Text File 
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trans moreD5 2 
trans pass tk5 0 


machine 6 


state 
trans 
trans 
state 
trans 
state 
trans 
trans 
state 
trans 
trans 


0 
rev6 1 


get tk6 2 


1 


ready6 0 


2 


Xmit6 3 
pass6 0 


3 


moreD6 2 
pass tk6 0 


machine 7 


state 
trans 
trans 
state 
trans 
state 
trans 
trans 
state 
trans 
trans 


0 
rev7 1 


get _tk7 2 


1 


ready7 0 


2 


Xmit7 3 
pass? 0 


3 


moreD7 2 
pass tk7 0 


machine 8 


state 
trans 
trans 
state 
trans 
state 
trans 
trans 
state 
trans 
trans 


0 
revs 1 


get_tk8 2 


1 


ready8 0 


2 


Xmits 3 
passs 0 


3 


moreD8 2 
pass tk8 0 
initial state 00000000 


finish 
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Variable Definitions (No Message in outbuf Variables) 


with TEXT_IO; use TEXT_IO; 
package definitions is 
num_of_machines : constant := 8; 
k : constant := 7; -- number of rows (messages) in output buffer 
type scm_transition type is (passl, pass2,pass3, pass4,pass5, pass6, 
pass], pass&,get _tkl,get_ tk2, 
get _tk3,get _tk4, get_ tk5,: get _tké6, 
get _ ~tk7, get tk8, Xmitl, Xmit2, Xmit3, 
Xmit4, Xmit5, Xmit6, Xmit7, Xmits, moreD1l, 
moreD2, moreD3, moreD4,moreD5, 
moreD6,moreD7,moreD8, pass tk4,pass tk5, 
pass_ tké, pass tk7,pass tk8, 7 
pass _tkl, pass _ mtk2, pass tk3, 
revl, rev4, rcv5, rev6, rcv7, rcev8, 
rcv2,rcv3, readyl, ready2, ready3, 
ready4, ready5, ready6, ready7, ready8, unused) ; 


type dummy type is range 1..255; 

type t_ field | type is (D,T,E); 

package t_field_enum_io is new enumeration I0O(t field type) ; 
use t_ field enum io; 


type MEDIUM TYPE is 
record 
t : t_field type; 
DA : integer range 1..8; 
SA : integer range 1..8; 
Gata : character; 
end record; 


type input buffer type is 
record 
DA : integer range 0..8 :=0; 
SA : integer range 0..8 :=0; 
data : character := 'E'; 
end record; 


type output buffer type is array (1..k) of MEDIUM TYPE; 


type machinel state type is 


record 
next : integer := 2; --address of downstream neighbor 
i: integer := 1; -- stations own address 
ctr : integer range 1..(k+1l) := 1; -- counter for messages sent 
4 : integer range 1..k := 1; -- index for output buffer 
inbuf : input buffer type; -- stores the received messages 


outbuf : output buffer type := ((E,2,1,'I'), (Z,3,1,'I'), 
(E7.4,1,'I"), (@,5,1,‘I"), 


(E,6,1,'I'), (E,7,1,'I'), (2,8,1,'I') ); 


end record; 


type machine2_state type is 


record 
next : integer := 3; --address of downstream neighbor 
i : integer := 2; -- stations own address 
ctr : integer range 1..(k+1):= 1; -- counter for messages sent 
} : integer range 1..k := 1; -- index for output buffer 
inbuf : input_buffer type; -- stores the received messages 


outbuf : output buffer type := ((E,1,2,'I'), (E,3,2,'I'), 
(E,4,2, mL ice (E,5,2, mL), 


(E,6,2,'I'), (B,7,2,'I'), (£,8,2,'I') ); 


end record; 


type machine3 state type is 


record 
next : integer := 4; --address of downstream neighbor 
i : integer := 3; -- stations own address 
ctr : integer range 1..(k+1l) := 1; -- counter for messages sent 
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3} : integer range 1..k := 1; -- index for output buffer 
inbuf : input _buffer_type; -- stores the received messages 
outbuf : output _ buffer _type := ((Z,1,3,'I'), (Z,2,3,'I'), 
(E,4,3,'I'), (B,5,3,'I'), 
(E, 6,3, 'I'), (E,7,3,'I'), (B,8,3, 'I') Ns 
end record; 


type machine4 state type is 

record 
next : integer := 5; --address of downstream neighbor 
i : integer := 4; -- stations own address 
ctr : integer range 1..(k+1) := 1; -- counter for messages sent 
3 : integer range 1..k := 1; -- index for output buffer 
inbuf : input buffer type; -- stores the received messages 
outbuf : output buffer type := ((E,1,4,'I'), (B,2,4,'I'), (E,3,4,'I'), (E,5,4, 'I'), 

(E,6,4,'I'), (E,7,4,'I'), (E,8,4,'I') ); 
end record; 


type machines state type is 
record 
next : integer := 6; --address of downstream neighbor 
i : integer := 5; -- stations own address 
ctr : integer range 1..(k+1l) := 1; -- counter for messages sent 
3 : integer range 1..k := 1; -- index for output buffer 
inbuf : input _ buffer type; -- stores the received messages 
outbuf : output buffer type := ((E,1,5,'I'), (E,2,5,'I'), (E,3,5,'I'), (E,4,5,'I'), 
(E, 6,5, gP Se (E,7,5, we (E,8,5, 'I') — 
end record; 


type machine6 state type is 

record 
next : integer := 7; -~address of downstream neighbor 
i : integer := 6; -- stations own address 
ctr : integer range 1..(k+l) := 1; -- counter for messages sent 
4 : integer range 1..k := 1; -- index for output buffer 
inbuf : input buffer type; -- stores the received messages 
outbuf : output buffer type := ((E,1,6,'I'), (E,2,6,'I'), (E,3,6,'I'), (E,4,6,'I'), 

(E,5,6, ae Ee (E,7,6, pe) | (E,8,6,'I') VES 
end record; 


type machine7_ state type is 


record 
next : integer := 8; --address of downstream neighbor 
i : integer := 7; -- stations own address 


ctr : integer range 1..(k+1) := 1; -- counter for messages sent 
4 : integer range 1..k := 1; -- index for output buffer 
inbuf : input_buffer type; -- stores the received messages 
outbuf : output | buffer type := ((E,1,7,'I'), (E,2,7,'I'), (£,3,7,'I'), (Z,4,7,'I'), 
(E,5,7, se Ge) (E, 6,7, ye (E,8,7, “a ) ); 
end record; 


type machine’ state type is 


record 

next : integer := 1; --address of downstream neighbor 

i : integer := 8; -- stations own address 

ctr : integer range 1..(k+1) := 1; -- counter for messages sent 

} : integer range 1..k := 1; -- index for output buffer 

inbuf : input_buffer type; -- stores the received messages 

outbuf : output _ buffer type := ((E,1,8,'I'), (E,2,8,'I'), (E,3,8, ‘'I'), (E,4,8,'I'), 


(E,5,8, 'I*) (2,6,8, "2 17 2. 8..' 1°) 5); 
end record; 


type global variable type is 
record 
MEDIUM : MEDIUM TYPE :=(T,1,2,'N'); 
end record; 


end definitions; 
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Variable Definitions( One Message in outbuf Variables) 


with TEXT IO; use TEXT I0; 
package definitions is 
num_of machines : constant := 8; 
k : constant := 7; -- number of rows (messages) in output buffer 
type scm_transition type is (passl,pass2,pass3, pass4,pass5, pass6, 
pass?7,pass&,get tkl,get tk2, 
get_tk3,get_ tk4,: get tk5, get tké6, 
get ~tk7, get ~tk8, Xmitl, Xmit2, Xmit3, 
Xmit4,Xmit5, Xmit6, Xmit7,Xmit8,moreD1, 
moreD2,moreD3,moreD4,moreD5, 
moreD6,moreD7,moreD8, pass tk4,pass tk5, 
pass_ tk6, pass tk7,pass txk8, 
pass tkl,pass — ~tk2 ,pass_ tk3, 
revl, rcv4, rcev5, rev6, rev7, rcv8, 
rcv2,rcv3, readyl, ready2, ready3, 
ready4, readyS, ready6, ready7, ready8, unused) ; 


type dummy type is range 1..255; 

type t _field type is (D,T,E); 

package t_field_enum_io is new enumeration I0(t_field type); 
use t_field_ enum io; 


type MEDIUM TYPE is 
record 
t : t_field type; 
DA : integer range 1..8; 
SA : integer range 1..8; 
data : character; 
end record; 


type input buffer type is 
record 
DA : integer range 0..8 :=0; 
SA : integer range 0..8 :=0; 
data : character := 'E'; 
end record; 


type output buffer type is array (1..k) of MEDIUM _TYPE; 


type machinel state type is 


record 
next : integer := 2; --address of downstream neighbor 
i: integer := 1; -- stations own address 
ctr : integer range 1..(k+1) := 1; -- counter for messages sent 
} : integer range 1..k := 1; -- index for output buffer 


inbuf : input_buffer type; -- stores the received messages 
outbuf : output buffer type := ((D,2,1,'I'), (E,3,1,'I'), 
(E,4,1,'I'), (E,5,1,'1I'), 


(E,6,1,'1I'), (BE, 7,1, ‘°1'), (@,8,1, °I") rl; 


end record; 


type machine2 state type is 


record 
next : integer := 3; --address of downstream neighbor 
i : integer := 2; -- stations own address 
ctr : integer range 1..(k+1):= 1; -- counter for messages sent 
3} : integer range 1..k := 1; -- index for output buffer 
inbuf : input_buffer type; -- stores the received messages 
outbuf : output buffer type := ((D,1,2,'I'), (E,3,2,'I'), 


(E, 4,2, oe (E,5,2, ery y 


(E7.6,2, I"), (Ee, 7, 2..°1*) oa B,8,.2, 2") Ve 


end record; 


type machine3 state type is 


record 
next : integer := 4; --address of downstream neighbor 
i : integer := 3; -- stations own address 
ctr : integer range 1..(k+1l) := 1; -- counter for messages sent 
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4 : integer range 1..k := 1; -- index for output buffer 
inbuf : input buffer type; -- stores the received messages 
outbuf : output buffer type := ((D,1,3,'I'), (Z,2,3,'I'), 
(Z,4,3, wr" )e (Z,5,3, ae Ge 
(Z,6,3,'I'), (B,7,3,'I'), (2B,8,3,'I') ); 
end record; 


type machine4 state type is 

record 
next : integer := 5; --address of downstream neighbor 
i : integer := 4; ~-- stations own address 
ctr : integer range 1..(k+1) := 1; -- counter for messages sent 
4 : integer range 1..k := 1; -- index for output buffer 
inbuf : input buffer type; -- stores the received messages 
outbuf : output buffer type := ((D,1,4,'I'), (B,2,4,'I'), (2,3,4,'I'), (2,5,4,'I'), 

(E,6,4,'I'), (E,7,4,'I'), (2,8,4,'I') ); 
end record; 


type machineS state type is 
record 
next : integer := 6; --address of downstream neighbor 
i : integer := 5; -- stations own address 
ctr : integer range 1..(k+1) := 1; -- counter for messages sent 
4 : integer range 1..k := 1; -- index for output buffer 
inbuf : input buffer type; -- stores the received messages 
outbuf : output _ buffer _ type := ((D,1,5,'I'), (E,2,5,'I'), (E,3,5, 'I'), (E,4,5, 'I'), 
(E,6,5,'I'), (2,7,5, 'I'), (B,8,5,'I') );7 
end record; 


type machine6 state type is 


record 

next : integer := 7; --address of downstream neighbor 

i : integer := 6; -- stations own address 

ctr : integer range 1..(k+1) := 1; -- counter for messages sent 

4 : integer range 1..k := 1; -- index for output buffer 

inbuf : input buffer type; -- stores the received messages 

outbuf : output buffer type := ((D,1,6, 'I') ; (B, 276, 'I'), (273,6, I") ME 47 oo 


(E,5,6, 'I'), (£, 7,6, Ir") P(E, 8; 6, ee Bs 
end record; 


type machine? state type is 

record 
next : integer := 8; --address of downstream neighbor 
i : integer := 7; -- stations own address 
ctr : integer range 1..(k+1) := 1; -- counter for messages sent 
4 : integer range 1..k := 1; -- index for output buffer 
inbuf : input buffer type; -- stores the received messages 
outbuf : output _buffer type := ((D,1,7, ‘'I"), (2,2,7, 'I'), (2,3,7, ‘1') (2,4, Se 

(E,5,7,'I'), (E,6,7,'I'), (B,8,7,'I') ); 
end record; 


type machine8 state type is 


record 

next : integer := 1; --address of downstream neighbor 

i : integer := 8; -- stations own address 

etr : integer range 1..(k+1l) := 1; -- counter for messages sent 
4 : integer range 1..k := 1; -- index for output buffer 

inbuf : input_buffer_ type; -- stores the received messages 


outbuf : output_buffer type := ((D,1,8, 'I"), (27 238, 'I'), (273, &, '1I"), (£,4,8, ee 
(E,5, 8, ‘1") HE, 6, &, ‘Te, tee a) Ve 
end record; 


type global _ variable type is 
record 
MEDIUM : MEDIUM TYPE :=(T,1,2,'E'); 
end record; 


end definitions; 
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Variable Definitions 
There are seven messages 1n outbuf variable of each machine and each machine sends 
One message to the other machines in the network. 


with TEXT IO; use TEXT IO; 
package definitions is 
num_of machines : constant := 8; 
k : constant := 7; -- number of rows (messages) in output buffer 
type scm transition type is (passl,pass2,pass3, pass4,pass5,pass6, 
pass7,pass8,get_tkl,get tk2, 
get tk3,get_ tk4, get_ tk5,get tké6, 
get ~tk7, get _ “tke, Xmitl, Xmit2, Xmit3, 
Xmit4,Xmit5, Xmit6, Xmit7, Xmit8,moreD1, 
moreD2,moreD3,moreD4, moreDS, 
moreD6,moreD7,moreD8,pass tk4,pass tk5, 
pass tk6,pass tk7,pass tk8, 7 
pass tkl,pass tk2,pass tk3, 
revl, rev4, rcv5, rev6, rcv7, rcv8, 
rev2, rcv3, readyl, ready2, ready3, 
ready4, ready5, ready6, ready7, ready8, unused) ; 


type dummy type is range 1..255; 

type t_ field _type is (D,T,E); 

package t _field. enum io is new enumeration IO(t field type); 
use t_field enum io; 


type MEDIUM TYPE is 
record 
t : t_ field type; 
DA : integer range 1..8; 
SA : integer range 1..8; 
data : character; 
end record; 


type input buffer type is 
record 
DA : integer range 0..8 :=0; 
SA : integer range 0..8 :=0; 
data : character := 'E'; 
end record; 


type output buffer type is array (1..k) of MEDIUM TYPE; 


type machinel state type is 


record 
next : integer := 2; --address of downstream neighbor 
i: integer := 1; -- stations own address 
ctr : integer range 1..(k+l) := 1; -- counter for messages sent 
j : integer range 1..k := 1; -- index for output buffer 


inbuf : input buffer type; -- stores the received messages 
outbuf : output buffer type := ((D,2,1,'I'), (D,3,1,'I'), 
(D,4,1,'I'), (D,5,1, 'I'), 
(DP G;., 2), UD, 1,4, er, (por, Ly ); 
end record; 


type machine2 state type is 


record 
next : integer := 3; --address of downstream neighbor 
i : integer := 2; -- stations own address 
ctr : integer range 1..(k+l):= 1; -- counter for messages sent 
j : integer range 1..k := 1; -- index for output buffer 
inbuf : input buffer type; -- stores the received messages 


outbuf : output | buffer type := ((D,1,2,'I'), (D,3,2, 'I'), 
(D, 4,2, ‘'I'),(D, 5,2, 1"), 
(D6, 2,517) (0, 7,2, °2") (0,8, 2,'2") ); 
end record; 
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type machine3 state type is 
record 

next : integer := 4; --address of downstream neighbor 

i : integer := 3; -- stations own address 

ctr : integer range 1..(k+1l) := 1; -- counter for messages sent 

3 : integer range 1..k := 1; -- index for output buffer 

inbuf : input buffer type; -- stores the received messages 

outbuf : output buffer type := ((D,1,3,'I'), (D,2,3, 'I'), 
(D,4,3,'I'), (D,5,3, ‘I'), 


(D,6,.3,'I"), (D7 7,737.42"), (D, 8,3, "Iie 
end record; 


type machine4 state type is 

record 

next : integer := 5; --address of downstream neighbor 

i: integer := 4; -- stations own address 

ctr : integer range 1..(k+1) := 1; -- counter for messages sent 

j : integer range 1..k := 1; -- index for output buffer 

inbuf : input_buffer type; -- stores the received messages 

outbuf : output_buffer type := ((D,1,4,'I'), (D,2,4,'I'), (D,3,4, 'I'),(D,5,4, 'I'), 


(D,6,4, I‘), (0,7,4,°I'), (D,8,4,'T') );? 
end record; 


type machineS state type is 
record 
next : integer := 6; --address of downstream neighbor 
i : integer := 5; -- stations own address 
ctr : integer range 1..(k+1) := 1; -- counter for messages sent 
j : integer range 1..k := 1; -- index for output buffer 
inbuf : input buffer type; -- stores the received messages 
outbuf : output buffer type := ((D,1,5,'I'), (D,2,5,'I'),(D,3,5, 'I'), (D,4,5, 'I'), 


(D,6,5, ‘I'), (D, 7,97 I jem, 825, 2.) Ja 
end record; 


type machine6 state type is 
record 
next : integer := 7; --address of downstream neighbor 
i : integer := 6; -- stations own address 
ctr : integer range 1..(k+1) := 1; -- counter for messages sent 
j : integer range 1..k := 1; -- index for output buffer 
inbuf : input buffer type; -- stores the received messages 
outbuf : output _ buffer type := ((D,1,6,'I'), (D,2,6,'I'), (D,3,6,'I'), (D,4,6, 'I'), 


(D,5,6, *I'), (DagmGe’ I"), (D,8,6, 5") ); 
end record; 


type machine? state type is 


record 
next : integer := 8; --address of downstream neighbor 
i : integer := 7; -- stations own address 
ctr : integer range 1..(k+1) := 1; -- counter for messages sent 
4 : integer range 1..k := 1; -- index for output buffer 
inbuf : input_buffer type; -- stores the received messages 
outbuf : output buffer type := ((D,1, 7, ‘I'), (D,2,.7, °*Z"y, (, 377, I"). 40,4, 124 


(D,5;7, =" \ixalD, 6,7, 5"), (078.7, ‘Ie 
end record; 


type machines’ state type is 


record 

next : integer := 1; --address of downstream neighbor 

i : integer := 8; -- stations own address 

ctr : integer range 1..(k+1l1) := 1; -- counter for messages sent 


3 : integer range 1..k := 1; -- index for output buffer 
inbuf : input_buffer type; -- stores the received messages 
outbuf : output buffer type := ((D,1,8,'I'), (D,2,8,'I'), (D,3,8, 'I'), (D,4,8, 'I'), 


(D,.5,,8, "I*), (D,6,8, “I ) be, Ores ie) 
end record; 


type global variable type is 
record 
MEDIUM : MEDIUM TYPE :=(T,1,2, 'N'); 
end record; 


end definitions; 
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— 


Predicate-Action Table 


separate (main) 
procedure Analyze Predicates Machinel(local : machinel_ state type; 
global : global variable type; 
s : natural; 
w : in out transition_stack_package.stack) is 


begin 
case s is 
when 0 => 

if ( (global.MEDIUM.t = D) and (global.MEDIUM.DA = local.i) ) then 
push (w, rcvl) ; 

end if; 

if ( (global.MEDIUM.t = T) and (global.MEDIUM.DA = local.i) ) then 
push (w,get_ tkl); 

end if; 


when 1 => 
push (w, ready1l) ; 
when 2 => 
if (local.outbuf (local.4j).t /= E) then 
push (w, Xmit1l) ; 
end if; 
if ( local.outbuf(local.j).t = E ) then 
push (w, passl) ; 
end if; 
when 3 => 
if ( (global.MEDIUM.t = E) and (local .outbuf(local.j) .t /= E) and 
(local.ctr <= k) ) then 
push (w, moreD1) ; 
end if; 
if ( (global.MEDIUM.t = E ) and ( (local.outbuf(local.}j) .t = E) 
or ({local.ctr = (k+l) ) ) ) then 
push(w, pass tkl); 
end if; 
when others => 
null; 
end case; 
end Analyze Predicates Machinel; 


separate (main) 
procedure Analyze Predicates Machine2(local : machine2_ state type; 
global : global variable type; 
8 : natural; 
w : in out transition stack _package.stack) is 


begin 
case s is 
when 0 => 

if ( (global.MEDIUM.t = D) and (global.MEDIUM.DA = local.i) ) then 
push (w, rcv2) ; 

end if; 

if ( (global.MEDIUM.t = T) and (global.MEDIUM.DA = local.i) ) then 
push (w, get_tk2) ; 

end if; 


when l => 
push (w, ready2) ; 
when 2 => 
if (local.outbuf (local.4) .t /= E) then 
push (w, Xmit 2) ; 
end if; 
if ( local.outbuf(local.j).t = E ) then 
push (w, pass2) ; 
end if; 
when 3 => 
if ( (global .MEDIUM.t = E) and (local.outbuf(local.j).t /= E) and 
(local.ctr <= k) )then 
push (w, moreD2) ; 
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end if; 
if ( (global.MEDIUM.t = E ) and ( (local.outbuf(local.4).t = E) 
or (local.ctr = (k+l) ) ) ) then 
push(w, pass tk2); 
end if; 
when others => 

null; 

end case; 

end Analyze Predicates Machine2; 


separate (main) 
procedure Analyze Predicates Machine3(local : machine3 state type; 
global : global variable type; 
s : natural; 
w : in out transition stack_package.stack) is 


begin 
case s is 
when 0 => 

if ( (global.MEDIUM.t = D) and (global .MEDIUM.DA = local.i) ) then 
push (w, rcv3) ; 

end if; 

if ( (global.MEDIUM.t = T) and (global.MEDIUM.DA = local.i) ) then 
push (w,get tk3) ; 

end if; 


when 1 => 
push (w, ready3) ; 
when 2 => 
if (local.outbuf(local.4).t /= E) then 
push (w, Xmit3) ; 
end if; 
if ( local.outbuf(local.4j).t = E ) then 
push (w, pass3) ; 
end if; 
when 3 => 
if ( (global.MEDIUM.t = E) and (local.outbuf(local.4).t /= E) and 
(local.ctr <= k) )then 
push (w, moreD3) ; 
end if; 
if ( (global.MEDIUM.t = E ) and ( (local.outbuf(local.4j).t = E) 
or (local.ctr = (k+l) ) ) ) then 
push (w, pass tk3); 
end if; 
when others => 
null; 
end case; 
end Analyze Predicates Machine3; 


separate (main) 
procedure Analyze Predicates Machine4(local : machine4 state type; 
global : global variable type; 
s : natural; 
w : in out transition stack _package.stack) is 


begin 
case s is 
when 0 => 
if ( (global .MEDIUM.t 
push (w, rcv4) ; 
end if; 
if ( (global .MEDIUM.t 
push(w,get_ tk4); 
end if; 


D) and (global .MEDIUM.DA local.i) ) then 


T) and (global .MEDIUM.DA = local.i) ) then 


when 1 => 
push (w, ready4) ; 
when 2 => 
if (local.outbuf(local.4).t /= E) then 
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push (w, Xmit 4) ; 
end if; 
if ( local.outbuf(local.4).t = E ) then 
push (w, pass4) ; 
end if; 
when 3 => 
if ( (global.MEDIUM.t = E) and (local.outbuf(local.4).t /= E) and 
(local.ctr <= k) )then 
push (w, moreD4) ; 
end if; 
if ( (global.MEDIUM.t = E ) and ( (local.outbuf(local.4).t = E) 
or (local.ctr = (k+l) ) ) ) then 
push(w, pass tk4); 
end if; 
when others => 
null; 
end case; 


end Analyze Predicates Machine(4; 


separate (main) 
procedure Analyze Predicates MachineS5(local : machineS state type; 
- i global : global variable type; 
s : natural; 
w : in out transition stack package.stack) is 


begin 
case s is 
when 0 => 
if ( (global.MEDIUM.t = D) and (global.MEDIUM.DA = local.i) ) then 
push (w, rcv5) ; 
end if; 
if ( (global.MEDIUM.t = T) and (global.MEDIUM.DA 
push (w,get_tk5) ; 
end if; 


local .i) ) then 


when 1 => 
push (w, readyS) ; 
when 2 => 
if (local.outbuf(local.4).t /= E) then 
push (w, Xmit5) ; 
end if; 
if ( local.outbuf(local.4).t = E ) then 
push (w, passS) ; 
end if; 
when 3 => 
if ( (global.MEDIUM.t = E) and (local.outbuf(local.4).t /= E) and 
(local.ctr <= k) )then 
push (w,moreDS5) ; 
end if; 
if ( (global.MEDIUM.t = E ) and ( (local.outbuf(local.4).t = E) 
or (local.ctr = (k+l) ) ) ) then 
push(w, pass tkS) ; 
end if; 
when others => 
null; 
end case; 


end Analyze Predicates MachineS; 


=e @eeeeeewewewe@ 2 2 w@B ws fs Bs BS eee ZT e@ FZ @F BF FSF FB FWFZeO FeO FWQeZ 2 VB BF ZF SF FOF OF OF FT sTsO FFF FO OF es FB SF SF FSV FBS 2 2 FS & = | 


separate (main) 
procedure Analyze Predicates Machine6(local : machine6é state type; 
global : global variable type; 
8s : natural; 
w : in out transition_stack package. stack) is 
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begin 
case s is 
when 0 => 
if ( (global.MEDIUM.t = D) and (global.MEDIUM.DA = local.i) ) then 
push (w, rcv6) ; 
end if; 
if ( (global.MEDIUM.t = T) and (global.MEDIUM.DA = local.i) ) then 
push (w, get_tk6) ; 
end if; 


when 1 => 
push (w, ready6) ; 
when 2 => 
if (local.outbuf(local.4) .t /= EB) then 
push (w, Xmit6) ; 
end if; 
if ( local.outbuf(local.4).t = E ) then 
push (w, passé) ; 
end if; 
when 3 => 
if ( (global.MEDIUM.t = E) and (local.outbuf(local.4).t /= E) and 
{local.ctr <= k) )then 
push (w,moreD6) ; 
end if; 
if ( (global.MEDIUM.t = E ) and ( (local.outbuf(local.4).t = E) 
or (local.ctr = (k+l) ) ) ) then 
push(w, pass tk6) ; 
end if; - 
when others => 
null; 
end case; 


end Analyze Predicates Machine6; 


gee este enwae age ete ewe eee @eeeweae @ eee ewer e2@2 @ wer ee@ee2 BF @ wwewewrwwZ es CZ BF OF FT OF Be FT eFXFZ SF SF SC TF SFO ees eo = 


separate (main) 
procedure Analyze Predicates Machine7 (local : machine? state type; 
global : global variable type; 
s : natural; 
w : in out transition stack package.stack) is 


begin 
case s is 
when O => 


if ( (global.MEDIUM.t = D) and (global.MEDIUM.DA = local.i) ) then 
push (w, rcv7) ; 

end if; 

if ( (global.MEDIUM.t = T) and (global.MEDIUM.DA = local.i) ) then 
push (w, get_tk7) ; 

end if; 


when 1 => 
push (w, ready7) ; 
when 2 => 
if (local.outbuf(local.4).t /= E) then 
push (w, Xmit7) ; 
end if; 
if ( local.outbuf(local.4).t = E ) then 
push (w, pass7) ; 
end if; 
when 3 => 
if ( (global.MEDIUM.t = E) and (local.outbuf(local.4).t /= E) and 
(local.ctr <= k) )then 
push (w, moreD7) ; 
end if; 
if ( (global.MEDIUM.t = E ) 
or (local.ctr = (k+1) 
push(w, pass tk7); 
end if; 7 
when others => 


and ( (local.outbuf(local.j).t = E) 
) ) ) then 


PrZ 


null; 
end case; 


end Analyze Predicates Machine7; 
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separate (main) 
procedure Analyze Predicates Machine8(local : machine8 state type; 
global : global variable type; 
s : natural; j 
w : in out transition stack _package.stack) is 


begin 
case s is 
when O => 
if ( (global.MEDIUM.t = D) and (global.MEDIUM.DA = local.i) ) then 
push (w, rcv8) ; 
end if; 
if ( (global.MEDIUM.t = T) and (global.MEDIUM.DA = local.i) ) then 
push (w, get_tk8) ; 
end if; 


when 1 => 
push (w, ready8) ; 
when 2 => 
1f (local.outbuf(local.4).t /= E) then 
push (w, Xmit 8) ; 
end if; 
if ( local.outbuf(local.j).t = E ) then 
push (w, pass8) ; 
end if; 
when 3 => 
if ( (global .MEDIUM.t = E) and (local.outbuf(local.4j).t /= E) and 
(local.ctr <= k) )then 
push (w, moreD8) ; 
end if; 
if ( (global .MEDIUM.t = E ) and ( (local.outbuf(local.4).t = E) 
or (local.ctr = (k+l) ) ) ) then 
push(w, pass tk8); 
end if; 
when others => 
null; 
end case; 


end Analyze Predicates Machine8; 


separate (main) 

procedure Action ( in_system_state : in out Gstate_record type; 
in_ transition : in out scm transition type; 
out_system_state : in out Gatate record type) is 


begin 
case in transition is 
when rcevl => 
out _system_state.machinel state.inbuf.SA 
:=in_system_state.global variables .MEDIUM.SA; 
out system state.machinel state.inbuf.data 
i=in_system_state.global_variables.MEDIUM.data; 
when rcev2 => 
out _system_state.machine2 state.inbuf.SA 
:=in_ system_state.global variables.MEDIUM.SA; 
out system state.machine2 state.inbuf.data 
7 t=in_system_state.global variables .MEDIUM.data; 
when rcev3 => 
out _ system state.machine3 state.inbuf.SA 
:=in_system state.global variables .MEDIUM.SA; 
out _system_state.machine3 state.inbuf.data 
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:#in_system_state.global variables .MEDIUM.data; 
when rev4 => 
out_system_state.machine4 state.inbuf.SA 
:=in_system_state.global variables .MEDIUM.SA; 
out_system_state.machine4 state.inbuf.data 
:=in_ system _state.global variables .MEDIUM.data; 
when rcv5 => 
out _system_state.machine5 state.inbuf.SA 
:sin_ system _state.global variables .MEDIUM.SA; 
out_system_ state.machine5 state.inbuf.data 
:tin_system_state.global variables .MEDIUM.data; 
when rcev6 => 
out_system_state.machine6 state.inbuf.SA 
:win_ system _state.global variables .MEDIUM.SA; 
out_system state.machine6 state.inbuf.data 
:win_ system_state.global variables .MEDIUM.data; 
when rcv7 => 
out_system state.machine? state.inbuf.SA 
:min_system_state.global variables .MEDIUM.SA; 
out system state.machine?7 state.inbuf.data 
:win_system_state.global variables .MEDIUM.data; 
when rev8=> 
out system _state.machine8 state.inbuf.SA 
:=in_system_state.global_ variables .MEDIUM.SA; 
out system _state.machine& state.inbuf.data 
:=in_system_state.global variables.MEDIUM.data; 


when readyl | ready2 | ready3 [ready | reecys || PSARy Clresay ere Sy. => 
out_system_state.global variables .MEDIUM.t ‘=E ,; 


when get tkl => 
out_system_state.global variables .MEDIUM.t := E ; 
out_system_state.machinel state.ctr := 1; 

when get __ tk2 => 
out system state.global_ variables .MEDIUM.t 22 E ; 
out system _state.machine2 state.ctr := 1; 

when get tk3 => 
out_system state.global variables.MEDIUM.t :=E ; 


out_system_state.machine3 state.ctr := 1; 

when get tk4 => 
out system _state.global variables.MEDIUM.t :=E ; 
out system state.machine4 state.ctr := 1; 


when get _tk5 => 
out_system_state.global variables.MEDIUM.t :=E ; 
out_system_state.machine5 state.ctr := 1; 

when get tk6 => 
out system state.global variables.MEDIUM.t :=E ; 
out_system_state.machine6 state.ctr := 1; 

when get_tk7 => 
out_system_state.global variables.MEDIUM.t :=E ; 
out_system state-.machine7 state.ctr := 1; 

when get tk8 => 
out_system_state. global _variables.MEDIUM.t :=E ; 
out system state. machine8_ state.ctr := 1; 


when passl | pass _tkl => 
out _ system state.global variables.MEDIUM.t := T; 
out_system_state.global variables .MEDIUM.DA 
>= in_system_state. machinel state.next; 
out system state. global | variables.MEDIUM.data := 'E'; 
out system_state. global variables. MEDIUM.SA 
:= in_system_state.machinel state.i; 
when pass2 | pass tk2 => 
out system state.global variables.MEDIUM.t := T; 
out system state. global_variables .MEDIUM.DA 
:= in_system_state.machine2 state.next; 
out system_state.global variables .MEDIUM.data := 'E'; 
Cub Ss yatenke,6 eg) 2 0 ae 
>= in_system_state.machine2 state.i; 
when pass3 | pass_ tk3 => 
out_system_ state.global variables.MEDIUM.t := T; 
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out system state.global variables.MEDIUM.DA 
>= in system state.machine3 state.next; 
out _system_ state.global | variables.MEDIUM.data := 'E'; 
out system state. global variables. MEDIUM.SA 
>= in system _state.machine3 state.i; 
when pass4 | pass tk4 => 
out_system_ state. global | variables .MEDIUM.t := T; 
out system state. global — variables .MEDIUM.DA 
:= in_system_state.machine4 state .next; 
out_system_state. global_ variables.MEDIUM.data := 'E'; 
out _system_state.global variables. MEDIUM .SA 
>= in system state.machine4 state.i; 
when passS | pass tk5 => a is 
out _ system state.global variables.MEDIUM.t := T; 
out system state.global variables .MEDIUM.DA 
7= in | system_ state.machine5 state.next ; 
out_system_ state.global_ variables.MEDIUM.data := 'E'; 
out system state. global variables. MEDIUM.SA 
>= in_system_state.machine5 state.i; 
when pass6 | pass tk6 => - 
out_system_ state.global variables.MEDIUM.t := T; 
out _ _system_state.global | ~variables.MEDIUM.DA 
>= in | system_ state.machine6 state .next; 
out system state. global | variables.MEDIUM.data := 'E'; 
out_system_state.global | ~ variables.MEDIUM.SA 
= in system state. machine6 state.1i; 
when pass? | pass tk7 => 
out system _state.global variables.MEDIUM.t := T; 
out system state.global variables.MEDIUM.DA 
>= in_system_state.machine7 state.next; 
out _system_state.global variables.MEDIUM. data := 'E'; 
out system state.global variables.MEDIUM.SA 
>= in_system_state.machine? state.i; 
when pass& | pass tk8& => oe < 
out _system_ state. global _variables.MEDIUM.t := T; 
out_system_ state. global variables. MEDIUM.DA 
>= in_system_state.machine& state.next; 
out system state.global variables.MEDIUM.data := 'E'; 
out_system_ state.global variables.MEDIUM.SA 
>= in_system_state.machine8 state.i; 


when Xmitl => 
out_system_state.global variables .MEDIUM 
>= in_system_ state. machinel_ state.outbuf(in system _state.machinel state. }); 
out_system_ state.machinel | state.outbuf (in | system_ state.machinel _state.}). t= EE, 
out _system_state. machinel _ _state.ctr 
:= (in _system_ state.machinel state.ctr mod 8) + 1; 
out system state. machinel_ state. } 
= (in_system state. machinel state.j mod 7) + 1; 
when Xmit2 => 
out system state.global variables .MEDIUM 
:= in_system_ state .machine2 state.outbuf (in system_state.machine2 state. }) ; 
out_system_state.machine2 state.outbuf (in system_state.machine2 state.j).t := E; 
out_system state.machine2 state.ctr 
:= (in_system_ state.machine2 state.ctr mod 8) + 1; 
out system state.machine2 state. } 
:= (in_system_state.machine2 state.j mod 7) + 1; 
when Xmit3 => 
out system state.global variables .MEDIUM 
:= in system state.machine3 state.outbuf (in system_state.machine3 state. 4); 
out system state.machine3 state.outbuf (in system_state.machine3 state.j).t := E; 
out system state.machine3 state.ctr 
:= (in_system state.machine3 state.ctr mod 8) + 1; 
out system state.machine3 state. } 
>= (in_system_state.machine3 state.j} mod 7) + 1; 
when Xmit4 => 
out_system state.global variables .MEDIUM 
:= in system state.machine4d state.outbuf (in system _state.machine4d state. }); 
out system state.machine4_ state. outbuf (in | system state.machine4 _state. 4) .t := E; 
out _ _system state. machine4_ state.ctr 
:= (in system state. machined state.ctr mod 8) + 1; 
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out_system_state.machine4 state. } 
:= (in_system_state.machine4 state.j mod 7) + 1; 
when Xmit5 => 
out_system_state.global variables.MEDIUM 
:= in_system_state.machine5 state.outbuf(in_system_state.machine5 state. }) ; 
out system state.machineS _state.outbuf (in | system state.machines_ state.4).t := E; 
out system state. machineS_ state.ctr 
:= (in _ system_ state.machineS state.ctr mod 8) + 1; 
out system state.machineS state. j 
[= (in_system state. machines state. j mod 7) + 1; 
when Xmit6 => 
out_system state.global variables .MEDIUM 
:= in_ system _state.machine6 state.outbuf (in system _state.machineé state. }) ; 
out_system_ state.machine6 state.outbuf(in_system_state.machine6 state.j).t := KE; 
out_ system state.machine6 state.ctr 
:m@ (in | system_ state.machine6 state.ctr mod 8) + 1; 
out system state. machine6_ state. 4 
>= (in | system state.machine6 state.j mod 7) + 1; 
when Xmit7 => 
out _system_state.global variables .MEDIUM 
:= in_system_state.machine7 state.outbuf(in_ system_state.machine?7 state.j); 
out system state.machine7 state.outbuf(in system state.machine7 state.j).t := E; 
out_ system state.machine7 state.ctr 
:= (in_system_state.machine7 state.ctr mod 8) + 1; 
out system state.machine7 state. }j 
:= (in_system_state.machine7_ state.} mod 7) + 1; 
when Xmit8 => 
out system state.global variables .MEDIUM 
:= in _system_state.machine8 state.outbuf(in system_state.machine& state. }); 
out_system_state.machine8 state.outbuf(in_ system state.machine& state.j).t := E; 
heh dp ees machines state.ctr 
:= (in | system_ state.machine’ state.ctr mod 8) + 1; 
out system state. machines _ state. j 
>= (in_s system_ state.machine8’ state.j mod 7) + 1; 
when moreDl | moreD2 | moreD3 |moreD4|moreD5 |moreD6 |moreD7 |moreD8 => 
null; 
when others => 
put ("Error in action procedure") ; 
end case; 
end Action; 
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Output Format 


separate (main) 
procedure output Gtuple(tuple : in out Gstate record type) is 
begin ~ 
if print header then 
new line (2); 
set _col(7); 
put_line ("ml,m2,m3,m4,m5,m6,m7,m8, MEDIUM.t, MEDIUM.DA, MEDIUM.SA, MEDIUM. data") ; 
print header := false; 


else 
put(" ("& integer'image (tuple.machine state(1)) ); 
put (" ; a) es 
put ( integer'image(tuple.machine state(2)) ); 
put(" , "); 
put ( integer'image(tuple.machine state(3)) ); 
put (" , se aes 
put ( integer'image(tuple.machine state(4)) ); 
put (" f “r- 
put ( integer'image(tuple.machine state(5)) ); 
put(" , "); 
put ( integer'image(tuple.machine state(6)) ); 
put (" < se 
put( integer'image(tuple.machine state(7)) ); 
put (" ; obs 
put( integer'image(tuple.machine state(8)) ); 
put(“ , “); 
t_ field enum_io.put(tuple.global_ variables.MEDIUM.t, set => upper case) ; 
put(“ , “); 
put (tuple.global variables.MEDIUM.DA, width => 1); 
put (" : he 
put (tuple.global variables .MEDIUM.SA, width => 1); 
put (" . J) 
put (tuple.global_ variables .MEDIUM.data) ; 
put (" t Naaah Ie 
end if; 


end output Gtuple; 


ae 


Program Output (No Message in outbuf Variable) 
REACHABILITY ANALYSIS of :tbh8&.scm 
SPECIFICATION 


| Machine 1 State Transitions | 


| From | To | Transition | 


| Machine 2 State Transitions | 


| Machine 5 State Transitions | 
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10 


11 


12 


13 


Machine 6 State Transitions | 


wee SB OB ewe weese 8 SB ees 22 ses 8ST SO SS SOS SE we 


Transition § | 


Machine 


7 State 


eee eB ew Pe ewe eS OS SS eS SS Se Sa eS 


Machine 


8 State 


0, 0, 0, 
0-207 10. 
0, 0, 0, 
Oiec0 2220; 
0, 0, 0, 
2070. 
Q:. 0, 0, 
One?) 0. 
0} 0; 0; 
On 0; 2. 
0, 0, 0, 
0. 0, 0, 
0, 0, 0, 
0, 0, 0, 


SYSTEM REACHABILITY 


0 


0 


0 


GRAPH 
] 0 get tkl 
] 0 passl 
jee get_tk2 
] 0 pass2 
] 2 get _tk3 
] 0 pass3 
] 3 get _tk4 
] 0 pass4 
] 4 get_tk5 
] 0 passas 
> get tké6 
] 0 pass6 
] 6 get_tk7 
] 0 pass7 


l 


19 


10 


11 


12 


13 


14 


14 [ 0, 0, 0, 0, 0, 0, 0, 0} 7 get tks 15 


15 { 0, 6, ©, 0, GPC yO e2eeo pass8 0 


SUMMARY OF REACHABILITY ANALYSIS (ANALYSIS COMPLETED) 


Number of states generated :16 
Number of states analyzed :16 


Number of deadlocks 


: 0 
UNEXECUTED TRANSITIONS 


| Machine 1 Unexecuted Transitions 


2“ e228 O88 SO OS SS SS 2 SO SF SF SF SF SC FB Ses 2 SF F888 2 Sees = w= 


moredl 


—m_amer eer ewe eee OO Oe OO SC Ow OO BOOZ sZes sw Z ws ess OSs Sse = = 


mored2 


—e_ eee Bae SO ee OS SE SO SSO 8 See OS SS SOF 8 2 Ss SS SS! we Ss oe = — 
eee eee2 @ @ BFF FV eV F22 SF FF FF VB SF FT SF SF SF SF SF SF SF FF Ss oS 
eSeewewe ee @ ews ww Oss 28 FF FF OFF SF Ss s8VZ2 es SFG Ss 22 S| Ses =2 = = 


= =P SP OP oe OD SF OF GR ae oe Se om ae © Oo om ae ew om om @® © oe OP ee ee ie ww we we es oe 


mored3 


——KeO 2 OOS SE OF aw KX SP OO OO OO OO SP SO SS |S S28 SSS S|! Se ws = —-= 
eee e222 @ SB SB Be 2 See SF SF VF SS SF SF SF SF SF FF FF FZ OF BBs eee — 
2 222 @ O28 SF SF SF SF SP SF SF SS SF 8 FO SF S88 S88 8 SF 2 8 8 SF S282 eS @& = = 


— a ee a am a SP GP ow om om om om a ee = a oe ee oP OD OD ee oe OP Se om ee we ee ee es es es 


mored4 


ae e2 ee Bees es es es 2s 2s 8 SPs 8 FSBOs sZese2sX 2 2 SO SP s# VF Ss Ss |S es ws 
@ee2 8 S22 2 SF SF SF SF SF SF SF SSF SOF SF FB SF SF SF SF SF SF SF FFF FO SF SF See = — 
ee mw te we a we ee ee ee ie ee ee ee ee = = 


mored5 
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| Machine 6 Unexecuted Transitions 


| From | To {| Unexecuted Transition 
| 0 } 1 | rev6 

| 1 | oO { ready6 

| 2 [73 | xmit 6 

| 3 | 2 { mored6 

| 3 | oO | pass tk6 


mored7 


Ia) 


10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 
22 
23 
24 
25 
26 
27 
28 
29 
30 
sol 
32 


33 


Program Output ( One Message in outbuf Variable) 


SYSTEM REACHABILITY GRAPH 


0, 0) 


0 


0 


0 


get tkl 
xmitl 
rev2 
ready2 
pass tkl 
get _tk2 
xmit2 
revl 
readyl 
pass tk2 
get tk3 
xmit3 
revl 
readyl 
pass _tk3 
get tk4 
xmit 4 
revl 
readyl 
pass tk4 
get _ tks 
xmit5 
revl 
readyl 
pass tk5 
get tké6é 
xmit 6 
revl 
readyl 
Pass tk6 
get tk7 
yanit 7 
revl 


readyl 


2 


10 


pe 


12 


13 


14 


15 


16 


17 


18 


19 


20 


21 


22 


23 


24 


25 


26 


27 


28 


29 


30 


31 


32 


33 


34 


3400, OO, 0, 10,83, 0 ] iggpass tk7 35 
35 [ 0, 0, 0, 0, 0, 0, 0, 0] 7 get_tk8 36 
36 [ 0, 0, 0, 0, 0, 0, 0, 2] 0 xmits 37 
a7 [0-07 00, 0, 0, 0) 3 J 0 erevi 38 
38 [ 1, 0, 0, 0, 0, 0, 0, 3] 0 readyl 39 
39 [ 0, 0, 0, 0, 0, 0, 0, 3) 1 pass tk8 0 


SUMMARY OF REACHABILITY ANALYSIS (ANALYSIS COMPLETED) 


Number of states generated :40 
Number of states analyzed :40 
Number of deadlocks : 0 


UNEXECUTED TRANSITIONS 


| Machine 1 Unexecuted Transitions | 


| From | To | Unexecuted Transition | 
| 2 | oO | passl | 
| 3 | 2 | moredl | 


| From | To | Unexecuted Transition | 
| 2 | oO pass2 | 
i 3 baa [ mored2 | 


ee ee Pee 8 e282 2 SS SS S228 SB SP SSS SS SB SO BFF S28 S28 es woes == = 


| Machine 3 Unexecuted Transitions | 


] From | To | Unexecuted Transition | 
| 0 } 2 | rev3 | 
| 2 | 0 ready3 | 
| 2 | Oo | pass3 | 
i 3 } 2 | mored3 | 


| Machine 4 Unexecuted Transitions | 


| From | To | Unexecuted Transition | 
i 0 } 12 | rev4 | 
i 1 } Oo | ready4 | 
| 2 f| oO | pass4 | 
| 3 | 2 | mored4 | 


| From | To | Unexecuted Transition | 
\ 0 } 12 | rev5 | 
i 1 } oO ; ready5 | 
| 2 | 0 | pass5 | 
| 3 | 2 | mored5 | 


ae eee eee eae ee eee ees ee eS See Se Ss oO Besse ee Fee ee SSS = 


| Machine 6 Unexecuted Transitions 


| From | To | Unexecuted Transition 
| 0 | x2 | rev6 

| 1 | 0 | ready6 

| 2 | oO | pass6 

\ 3 | 2 | mored6 


=a ee eee ee ee eer eee ee eee 2 FF es Bese wee SF s es 828 @ Se Ss oo | = 


ga eee ee @@ were eee ee ee ee FFs eZee ee Fee ee |S 


2a ea wewrere ee Fe Fe ee ee Fe FF FF FFF Fess Fe FFF Fe ee eS 


| From | To | Unexecuted Transition 
‘ 0 | 1 i rev? 

| 1 | oO | ready7 

( 2 | oO i pass? 

| 3 | 2 | mored7 


fae wae we ee wee ewe eee ee Fe FF FFs Te FFF Fe 2 | | 


| From | To | Unexecuted Transition 
| 0 } 1 | rcvs 

| 1 | oO | ready8 

| 2 | Oo | pass8& 

| 3 | 2 | mored8 
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Program Output ( More Than One Message in outbuf Variable) 


SYSTEM REACHABILITY GRAPH 
Oo [ 0, 0, 0, 0, 0, 0, 0, 0 ] 0 get_tkl 1 


1 [ 2, 0, 07 0,0, 0, 0, O ] O sxattl 2 
2 \[ 3, 0, 30,.0, 0, 0, 0, 0 ]. 0. rev2 3 
3 [{ 3, 1, 0, 0, 0, 0, 0, 0 J] O ready2 4 
4 { 3, 0, 0, 90, 90, 0, 0, 0} 1 moredl 1 


SUMMARY OF REACHABILITY ANALYSIS (ANALYSIS COMPLETED) 


Number of states generated :5 
Number of states analyzed :5 
Number of deadlocks : 0 


UNEXECUTED TRANSITIONS 


| Machine 1 Unexecuted Transitions i 


| From | To | Unexecuted Transition | 
[ ©. |, eat revl | 
| 1 | o | readyl | 
| 2 | oOo | pasel 
[as |, O. pass tkl 


| From | To | Unexecuted Transition | 


ONOWN 
~~ 
fm 
te 
© 
N 


e2eeweeeee eee @ewewwr ee @e2w @@ewesw Bese e @eweswe2 22 ea = 


| Machine 3 Unexecuted Transitions | 


| From | To | Unexecuted Transition | 


8 
rF 
WwW 


ie 


( rev4 

| get tk4 
| ready4 

| xmit 4 

| pass4 

| mored4 

| pass tk4 


eee FPF ws ae OZ OF OF OFZ ese Fs Oe sO Oe eee eeeaeee ee w= @ ea = 
== ae Se Se SP > SP ee > Se Se SP FP SP a ao» SP oP oo om a a eS oe oe a a 
So ee ewe @Peewr @ eB 2 eee eewe2ee2te2 @2@ee2e n= @eene a2 e@ e2ee2ae= = 
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Program Output (Global Reachability Analysis) 


There are seven messages in outbuf variable of each machine. 


REACHABILITY ANALYSIS of :tb8.scm 
SPECIFICATION 


| Machine 1 State Transitions | 


|} From | To | ‘Transition (| 


| Machine 2 State Transitions | 


i A EN A A A I A A A NO el 


| Machine 4 State Transitions | 


| Machine 5 State Transitions | 


| From {| To | Transition | 
| 0 | 1 | revs | 
j 0 | 2 | get tk5 | 
i 1. | 0 | ready5 | 
f 2 | 3 | xmmitS5 | 
| 2 | Oo | pass5 | 
| 3 | 2 | =mored5 | 
| 3 | O | pass _tk5 | 


| Machine 6 State Transitions 


Transition 


To 


From 


oe se oe eee eee === a= 


‘0 

\o ad 
at Oo ww 
o'BS33e! 
Ba3hiS: 
em a8 od 


OOANNOMM 


| Machine 7 State Transitions 


| From 


Transition 


To 


| Machine 8 State Transitions 


Transition 


From | To | 


9 OANNMM 


[m1,m2,m3,m4,m5,m6,m7,m8,MEDIUM.t, MEDIUM.DA, MEDIUM.SA, MEDIUM. data) 


REACHABILITY GRAPH 


ANMSEH OE wDAA 


10 
at 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 
22 
23 
24 
25 
26 
27 
28 
30 


] pass tki 29 
] get_tk2 


] get_tkl 


]) xmitl 
) rev2 
]) ready2 


) moredl 
) xmitl 


) rev3 
) ready3 


) moredl 
) x»nitl 


) rev4 
] ready4 


) moredl 
) xmitl 


) rev5 
) ready5 


) moredl 
) xmitl 
) revé 

) ready6 
) moredl 
) xmitl 
) rev? 

] ready? 


) moredl 
) xmitl 


) revs 
] readys 


MAMAHHHHAH HHH HHH RHR HAHAHAHAHAHA 


~~ * & & & * * B&B &» Be &* © Be B&B BB BB BB BB BB B&B Be Ba BS BB Be BB BS BW we a 


ee *= = ee &= * * BB BB B&B & 8B BB B&B FS B B B BB BB BB BB BB B BS BS B B we wa 


» es» * a es *&® &® a &® a8 & 8® & & 8 & 8& 2 & 8& 8& 8 2& & & & & & BS & 


-_ &* ® a & &®& S&® 8&® & 8&8 j& %& &S& & j%8S® %& j& jS&® & & j&®& & j&® & j8® j&®& & j&® j& 


-_ & &F® a» & *® &® S® 8&8 & & & S&® j& j%S& %&S& j%&S& & S&S j&S& & &® & & j& j%8S® j%S® j%& ea 4 


ONMMMNMNMMMNAMMMNMNMMMNMMMNMMOMNOAMOAOM SO 


Ne ee ee 


COMAINOMNEMHOPFDAAOHANM 
addr 
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SUMMARY OF REACHABILITY ANALYSIS (ANALYSIS COMPLETED) 


Number of states generated :263 
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Number of states analyzed :263 
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